REPORT  DOCUMENTATION  PAGE 

Form  Approved 

OMB  No.  074-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  this  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington, 

VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503 

1.  AGENCY  USE  ONLY  {Leave  blank) 

2.  REPORT  DATE 

Fall  2000 

3.  REPORT  TYPE  AND  DATES  COVERED 

Newsletter  Vol .  3  No.  4 

1  4.  TITLE  AND  SUBTITLE 

5.  FUNDING  NUMBERS 

IA  Newsletter 

The  Newsletter  for  Information  Assurance  Technology 
Professionals 


6.  AUTHOR(S) 

Information  Assurance  Technology  Analysis  Center 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

I  AT  AC 

Information  Assurance  Technology  Analysis  Center 
3190  Fairview  Park  Drive 
Falls  Church  VA  22042 


9.  SPONSORING  /  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

Defense  Technical  Information  Center 
DTIC-IA 

8725  John  J.  Kingman  Rd,  Suite  944 
Ft.  Belvoir,  VA  22060 


11.  SUPPLEMENTARY  NOTES 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  is  unlimited. 


13.  ABSTRACT  (Maximum  200  Words) 

IA  Newsletter  is  published  quarterly  by  the  Information  Assurance  Technology  Analysis 
Center  ( I AT AC) .  I AT AC  is  a  DoD  sponsored  Information  Analysis  Center,  administratively 
managed  by  the  Defense  Technical  Information  Center  (DTIC) ,  Defense  Information  Systems 
Agency  (DISA) .  Featured  in  the  issue: 

USPACOM  -  Theater  Network  Operations  (Ensuring  Information  Superiority  for  the  21sc 
Century) 

A  Retrospective  on  Computer  Network  Defense 
Where  There’s  Smoke,  There's  Fire- 
Keys  to  the  Kingdom 

Law  Enforcement  &  Counterintelligence  Support  to  CND 


14.  SUBJECT  TERMS 

Information  Security,  Information  Assurance,  Global  Information 

Grid,  JTF-CND,  PKI 

15.  NUMBER  OF  PAGES 

39 

16.  PRICE  CODE 

17.  SECURITY  CLASSIFICATION 

OF  REPORT 

UNCLASSIFIED 

18.  SECURITY  CLASSIFICATION 
OF  THIS  PAGE 

UNCLASSIFIED 

19.  SECURITY  CLASSIFICATION 

OF  ABSTRACT 

UNCLASSIFIED 

20.  LIMITATION  OF  ABSTRACT 

None 

12b.  DISTRIBUTION  CODE 

A 


10.  SPONSORING  /  MONITORING 
AGENCY  REPORT  NUMBER 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


jyjlC  QpiU*1*"* 


iSD  4 


20001027  076 


*  £  ♦ 


: ; ;;  Te c;  h  n  o  I  o  QV  f3  i’" O  f B  s  S  i  o  r  1 0  f  s 

Volume  3  Number  4 


USPACOM 


':Wi 


m 


K  •-£ 


Theater  Network  Operations 

Ensuring  Information  Superiority 
for  the  21st  Century 


c\ 


V 


V 


v 


7\ 


i  \ 


V  o 


also  inside — 

•  A  Retrospective  on  Computer 
Network  Defense 

*;  •  Where  There's  Smoke, 

There's  Fire... 

•  Keys  to  the  Kingdom 

•  Law  Enforcement  &  Counterintet 
ligence  Support  to  CND 


on  the  cover 

USPACOM  Theater  Network  Operations 

Brigadier  General  (P)  James  D.  Bryan,  USA  3 

ia  initiatives 

A  Retrospective  on  Computer  Network  Defense 

Major  General  John  Campbell,  USAF  10 

U.S.  Special  Operations  Command 
Builds  New  NOSC 

Major  John  J.  Jordan,  USA  16 


#v4newsletter 

Editors 

Robert  P.  Thompson 
Robert  J.  Lamb 

Creative  Director 

Christina  P.  McNemar 

Information  Processing 

Robert  F.  Scruggs 

Information  Collection 

Page  Y.  Eastman 

Inquiry  Services 

Peggy  O'Connor 

Contributing  Editor 

Ellen  Loeb 


Where  There's  Smoke,  There's  Fire — 

Brian  Bottesini 

Brenda  Angerhofer  17 

Keys  to  the  Kingdom 

Captain  Robert  West,  USN  19 


Law  Enforcement  and  Counterintelligence 
Support  to  CND 

Special  Agent  Michael  R.  Dorsey  21 

Information  Assurance  Training  at  the 
U.S.  Army's  Computer  Science  School 

Major  Mark  V.  Hoyt,  USA  25 

That's  NOT  My  Final  Answer... 

Ms,  Victoria  Alkema  26 

Marine  Corps  Active  Computer  Network  Defense — 
The  Changing  Face  of  Warfare 

Major  Ted  Steinhauser,  USMC  (Ret) 

Captain  Carl  Wright,  USMC  28 


Mobile  Code— Is  It  Worth  the  Risk? 

Maj  Boyles,  USAFR  30 

DISA  IPMO  Products  Promote  IA  Worldwide 

Edward  Smith  34  ■§ 


in 

IATAC  Chat 

Jf|r;  Robert  P,  Thompson 

Products 

IATAC  Product  Order  Form 
Calendar  of  Events 


36 

37 
39 

Back  Cover 


lAnewsletter  is  published  quarterly  by  the 
Information  Assurance  Technology  Analysis 
Center  (IATAC).  IATAC  is  a  DoD  sponsored 
Information  Analysis  Center,  administrative¬ 
ly  managed  by  the  Defense  Technical 
Information  Center  (DTIC),  Defense 
Information  Systems  Agency  (DISA). 

Inquiries  about  IATAC  capabilities,  products 
and  services  may  be  addressed  to: 

Robert  P.  Thompson 

Director,  IATAC 
703.289.5454 

We  welcome  your  input!  To  submit  your 
related  articles,  photos,  notices,  feature 
programs  or  ideas  for  future  issues,  please 
contact: 

IATAC 

ATTN:  Christina  P.  McNemar 
3190  Fairview  Park  Drive 
Falls  Church,  VA  22042 
Phone  703.289.5454 
Fax  703.289.5467 
STU-III  703.289.5462 

E-mail:  iatac@dtic.mil 
URL:  http  ://iac .  dtic .  mi  l/iatac 


Cover  and  newsletter  designed  by 
Christina  P.  McNemar 


Distribution  Statement  A: 

Approved  for  public  release; 
distribution  is  unlimited. 


lAnewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


Brigadier  General  (P)  James  D.  Bryan,  USA 
Commander,  JTF-CND  and  Vice  Director,  DISA 
Mr.  Patrick  Gorman 


Ensuring  Information  Super! 
ority  for  the  21st  Century 


“We  are  not  smart  enough  to 
predict  the  future,  so  we  have  to 
get  better  at  reacting  to  it  more 
quickly .  ” 

—General  Electric  adage 
nformation  superiority  en¬ 
ables  the  realization  of  Joint 
Vision  2010  concepts  by  trans¬ 
forming  the  traditional  battle¬ 
field  functions  of  move,  strike, 
protect,  and  sustain  into  the  op¬ 
erational  concepts  of  dominant 
maneuver,  precision  engage¬ 
ment,  full-dimensional  protec¬ 
tion,  and  focused  logistics. 
These  emerging  operational 
concepts  are  presumed  to  take 
advantage  of  particular  ad¬ 
vances  in  sensor-to-shooter  link¬ 
ages  and  general  advances  in 
computing  and  information 
transport.  The  resulting  con¬ 
struct  gives  us  a  glimpse  of  net- 
work-centric  warfare,  a  concept 
that  asserts  that  in  the  future  the 
primary  means  of  generating 
and  sustaining  combat  power 
will  be  a  seamless  joint  network 
of  sensor,  information,  and  en¬ 
gagement  grids  that  links  sen¬ 
sors,  command  and  control  (C2) 
centers,  and  shooters.  This 
seamless  global  information  grid 
(GIG)  will  implement  network¬ 
centric  warfare  concepts  of 
speed  of  command,  self-syn¬ 
chronization,  and  massed  ef¬ 
fects.  It  is  also  a  critical  precur¬ 
sor  to  a  knowledge-centric  force 
in  which  context  and  content  co¬ 
ordination  enhance  C2  to  enable 
decentralized  decision  making 


and  self-synchronized  opera¬ 
tions. 

The  movement  from  a  plat¬ 
form-centric  to  a  network-cen¬ 
tric  warfighting  environment, 
however,  will  increase  the  num¬ 
ber  of  users,  nodes,  and  links, 
significantly  increasing  demand 
on  computers  and  data  net¬ 
works. 

This  explosion  of  command, 
control,  communications,  com¬ 
puters,  and  intelligence  (C4I)  re¬ 
quirements  will  increase  the  de¬ 
mand  and  criticality  of  network 
troubleshooting,  network  man¬ 
agement,  dynamic  bandwidth 
management,  information  and 
network  protection,  and  spec¬ 
trum  management.  These  func¬ 
tions  will  move  from  their  tradi¬ 
tional  low-visibility  support  role 
to  a  critical  high-visibility 
warfighting  capability.  In  short, 
the  network  will  become  a 
weapon  system  and  should  have 
a  command  relationship  com¬ 
mensurate  with  that  of  normal 
operational  forces. 

21st  Century  War¬ 
fighting  Environment 

Whereas  warfare  in  past  con¬ 
flicts  was  often  a  sequence  of 
semi-independently  unfolding 
events  that  could  be  planned  for 
at  a  deliberate  pace,  future  con¬ 
flict  will  be  conducted  at  an  un¬ 
precedented  pace  with  great  flu¬ 
idity.  The  21st  century  war¬ 
fighting  environment  will  re¬ 
quire  a  new  mentality  for  mas¬ 


tering  the  command  of  a  vast 
array  of  forces  operating  at 
these  greater  speeds,  over  larger 
spaces.  The  campaign  of  the  fu¬ 
ture  will  consist  of  a  seamless 
web  of  interdependent  actions 
conducted  in  parallel  rather 
than  a  sequence  of  independent 
actions.  This  new  technology- 
driven  approach  to  warfare  will 
require  new  processes  and  orga¬ 
nizations.  The  enhanced  mili¬ 
tary  capabilities  of  speed,  range, 
unprecedented  accuracy,  lethal¬ 
ity,  and  strategic  mobility  ex¬ 
pressed  in  Joint  Vision  2010  are 
predicated  on  United  States 
achievement  of  information  su¬ 
periority.  However,  the  rapid  ad¬ 
vances  in  computer  processing 
and  information  transportation 
technologies  that  are  the  foun¬ 
dation  of  information  superiori¬ 
ty  are  creating  new  vulnerabili¬ 
ties  and  challenges  for  the  U.S. 
military.  Foremost  among  these 
challenges  is  the  need  to  man- 


http  ://iac.  dtic.mil/iatac 


lAnewsletter 


► 


Volume  3,  Number  4 


age  the  explosion  of  information 
and  proliferation  of  networks 
while  protecting  both  the  infor¬ 
mation  and  the  networks  that 
carry  it. 

The  increased  emphasis  on 
achieving  information  superiori¬ 
ty  is  causing  a  proliferation  of 
complex  webs  of  interdepen¬ 
dent  links  and  an  explosion  in 
the  number  of  computers,  and 
data,  voice,  and  video  networks, 
supporting  the  warfighter.  The 
movement  toward  split-based 
operations,  in  which  many 
warfighting  functions  are  per¬ 
formed  in  the  rear  in  support  of 
more  agile  forward-based  forces, 
is  blurring  the  lines  between 
joint  task  force  (JTF)  forces,  net¬ 
works,  and,  base,  post,  camp, 
and  station  command,  control, 
communications,  and  computer 
(C4)  systems.  Moreover,  this 
greater  dispersion  and  increased 
connectivity  will  demand  an  un¬ 
precedented  amount  of  band¬ 
width,  both  wired  and  wireless, 
to  support  joint  and  coalition 
military  operations. 

The  complexity  of  the  future 
warfighter's  network  demands 
will  be  compounded  by  the  po¬ 
tential  fragility  of  the  global  net¬ 
worked  environment.  ELIGIBLE 
RECEIVER,  the  first  large-scale 
exercise  to  test  our  ability  to  re¬ 
spond  to  an  attack  on  our  infor¬ 
mation  infrastructure,  demon¬ 
strated  that  hostile  forces  could 
penetrate  the  national  infra¬ 
structure  and  DoD  networks, 
and  could  affect  DoD’s  ability  to 
perform  certain  missions.  These 
findings  were  validated  in  1998 
by  Solar  Sunrise,  a  series  of  at¬ 
tacks  targeting  DoD  network  do¬ 
main  name  servers.  Both  ELIGI¬ 
BLE  RECEIVER  and  Solar 
Sunrise  clearly  demonstrated 
that  in  the  current  interconnect¬ 
ed  environment,  everyone  in 
DoD  resides  in  a  shared  risk  en¬ 


<4  lAnewsletter  •  Volume 


vironment.  In  a  networked 
world,  an  event  anywhere  even¬ 
tually  reaches  everywhere 
through  ripple  effects. 

The  demands  of  the  future 
warfighting  environment  and 
the  explosion  in  both  number  of 
users  and  level  of  connectivity 
are  leading  to  the  following 
trends: 

•  Greater  Complexity — The 

sheer  number  of  systems 
nested  within  systems  makes 
it  difficult  to  readily  isolate 
and  understand  events,  deter¬ 
mine  cause  and  effect,  and 
select  appropriate  courses  of 
action. 

•  Greater  Interdependency- 

Information  flows  and  net¬ 
works  that  previously  were 
relatively  isolated  along  orga¬ 
nizational  lines  have  become 
interdependent  because  of 
the  demand  for  fully  integrat¬ 
ed  joint  operations  and  the 
drive  toward  C4I  interoper¬ 
ability. 

•  High  Tempo— Improved  in¬ 
formation  processing  systems 
and  networking  capabilities 
have  significantly  decreased 
decision  time  and  increased 
the  operations  tempo,  forcing 
the  Joint  Force  Commander 
to  rapidly  sense,  decide,  and 
respond  to  his  environment 
with  minimal  delays.  Timely 
and  assured  information 
delivery  is  no  longer  a  luxury 
but  a  critical  warfighting 
necessity,  providing  a  com¬ 
petitive  edge  in  warfare. 

•  Decreased  Predictability — 
Increased  global-level  com¬ 
plexity  and  interdependence, 
and  rapid  rates  of  technologi¬ 
cal  change  make  it  difficult  to 
prepare  and  plan  for  unfore¬ 
seen  events  through  tradition¬ 
al  organizations  and  proce¬ 
dures.  The  competitive 
advantage  will  now  go  to 


3,  Number  4 


those  who  can  quickly  and 
accurately  anticipate  and 
respond  to  rapidly  unfolding 
events. 

The  21st  century  warfighting 
environment  demands  new  ca¬ 
pabilities  to  improve  the  agility, 
speed,  and  accuracy  of  the  oper¬ 
ational  forces.  Achieving  infor¬ 
mation  superiority  is  at  the  core 
of  these  capabilities,  and  provid¬ 
ing  assured  delivery  and  pro¬ 
tected  information  is  critical  to 
obtaining  information  Superiori¬ 
ty- 

Commander's 

Challenge 

“...a  failure  in  one  part  of  the 
infrastructure  affects  the  deli¬ 
cate  and  complex  balance  of  the 
entire  interconnected  system. 
Unfortunately ;  the  number  of 
these  types  of  events  seems  to  be 
increasing  at  the  same  rate  as 
our  reliance  on  information 
technology.  ” 

—Mr.  Arthur  L.  Money1,  Assistant 
Secretary  of  Defense  for  Command 
Control,  Communications,  and 
Intelligence  (ASD/C3I) 

Operational 

Challenge 

The  emerging  network-cen¬ 
tric  warfighting  environment 
and  the  advent  of  knowledge¬ 
centric  decision  making  has 
caused  the  Defense  Information 
Infrastructure  (DII)  to  evolve 
into  a  complex  web  of  informa¬ 
tion  processing  and  transport 
systems,  which  are  monitored 
and  controlled  by  different  orga¬ 
nizations  from  geographically 
dispersed  locations.  Under  these 
circumstances,  it  is  very  difficult 
for  combatant  commanders,  like 
the  Commander  in  Chief,  U.S. 
Pacific  Command  (USCINC- 
PAC),  to  maintain  cognizance 
over  the  various  critical  infor¬ 
mation  systems  and  networks 
that  support  operations  in  their 


http://iac.dtic.mil/iatac 


theaters.  Unfortunately,  the 
number  and  complexity  of  the 
networks  that  can  provide  infor¬ 
mation  to  a  theater  are  rapidly 
outstripping  our  ability  to  man¬ 
age  those  networks,  protect 
them  against  intrusions  and  at¬ 
tacks,  and  effectively  manage 
available  bandwidth. 

Currently,  the  Commander  in 
Chief  (CINC)  has  only  limited 
ability  to  view  the  status  and 
performance  of  the  theater  in¬ 
formation  grid  and  has  no  fusion 
and  analysis  ability  to  deter¬ 
mine  potential  joint  operational 
impacts  of  network  outages  and 
attacks,  no  dynamic  ability  to 
determine  action  alternatives, 
and  no  established  C2  structure 
for  prioritizing  and  executing  a 
theater-wide  response  to  net¬ 
work  failures  and  attacks. 

Desired  Operational 
Capabilities 

Joint  Vision  2010  defines  in¬ 
formation  superiority  as  “the  ca¬ 
pability  to  collect,  process,  and 
disseminate  an  uninterrupted 
flow  of  information  while  ex¬ 
ploiting  or  denying  an  adver¬ 
sary’s  ability  to  do  the  same.” 
Achievement  of  information  su¬ 
periority  is  based  on  meeting 
three  primary  challenges:  Bat- 
tlespace  awareness  (J2),  infor¬ 
mation  operations  (J3),  and  in¬ 
formation  transport  and 
processing  (J6).  Information 
transport  and  processing  (ITP) 
also  comprises  four  desired  op¬ 
erational  capabilities  (DOC):  as¬ 
surance,  capacity,  interoperabil¬ 
ity,  and  information 
management. 

•  Assurance  (DOC  ITP-1): 

Defending  against  informa¬ 
tion  threats  and  providing  the 
warfighter  with  high-quality 
information  services  when 
needed  to  meet  the  dynami¬ 


http://iac.dtic.mil/iatac 


cally  changing  demands  of 
the  future. 

•  Capacity  (DOC  ITP-2): 

Providing  the  warfighter  with 
a  flexible,  adaptive  network  to 
transmit  and  receive  the  right 
volume  of  information  at  the 
right  time  and  the  right  place. 

•  Interoperability  (DOC  ITP- 
3) :  Providing  universal  trans¬ 
action  services  that  allow  the 
warfighter  to  exchange  and 
understand  information 
unimpeded  by  differences  in 
connectivity  or  language,  on  a 
real-time  basis,  regardless  of 
location. 

•  Information  Management 
(DOC  ITP-4):  Managing  an 
assured,  real-time,  scalable 
information  flow  throughout 
the  infrastructure. 

A  key  to  meeting  these  chal¬ 
lenges  is  the  global  information 
grid  (described  in  more  detail 
below).  However,  the  current 
stovepiped  environment,  which 
is  characterized  by  scores  of  sep¬ 
arately  managed,  noninteroper- 
able  networks  with  varying  lev¬ 
els  of  network  management, 
configuration  management,  and 
information  protection,  makes  it 
difficult  to  visualize,  manage, 
and  protect  this  grid  with  any 
degree  of  effectiveness  or  effi¬ 
ciency.  Moreover,  management 
of  most  of  the  networks  that 
compose  the  GIG  is  conducted 
as  an  administrative  rather  than 
an  operational  function,  with 
uncertain  chains  of  command. 
Most  of  the  associated  technolo¬ 
gies  and  procedures  reflect  a 
Service-centric  rather  than  a 
joint  network-centric  warfight¬ 
ing  perspective. 

NETOPS  Background 

"In  order  for  the  U.S .  to  exert , 
to  the  maximum  extent  possible , 
the  power  of  our  military  forces 
in  future  operations,  all  military 


lAnewsletter 


entities  and  functions  must  be 
part  of  a  common  integrated  in¬ 
formation  infrastructure .  ” 

— Defense  Science  Board,  1998 

Summer  Study  Task  Force  on  Joint 

Operations  Superiority  in  the  21st 

Century 

Global  Information 
Grid 

The  DII,  together  with  its  sup¬ 
porting  policies,  plans,  and  pro¬ 
grams,  was  conceived  in  the 
early  1990s  to  align  basic  infor¬ 
mation  processing  and  transport 
services  with  DoD's  functional 
area  applications  and  common 
applications.  The  alignment  was 
intended  to  improve  the  ability 
to  execute  joint  military  opera¬ 
tions  and  the  efficiency  of  key 
underlying  mission  support 
tasks.  However,  achievement  of 
information  superiority  and 
other  operational  tenets  of  Joint 
Vision  2010  requires  a  new  as¬ 
sured,  network-centric  and 
knowledge-centric  paradigm 
that  treats  information  as  a  criti¬ 
cal  warfighting  resource.  The 
need  for  an  affordable,  interop¬ 
erable,  protected  information 
grid  is  emphasized  in  the  1996 
Information  Technology  Man¬ 
agement  Reform  Act  (ITMRD 
also  known  as  Clinger-Cohen), 
the  1997  Quadrennial  Defense 
Review  (QDR) ,  and  Presidential 
Decision  Directive  63,  (PDD) 
Critical  Infrastructure  Protec¬ 
tion  (CIP). 

The  GIG  is  an  ASD/C3I  initia¬ 
tive  aimed  at  improving  security 
and  interoperability  while  re¬ 
ducing  costs,  by  moving  from  an 
infrastructure  (DII)  to  an  enter¬ 
prise  (GIG)  approach  to  achieve 
information  superiority.  The 
GIG  is  envisioned  as  a  globally 
interconnected,  end-to-end  set 
of  information  capabilities  asso¬ 
ciated  processes,  organizations, 
and  personnel  for  collecting, 
processing,  storing,  disseminat- 


•  Volume  3,  Number  4  5 


ing  and  managing  information 
on  demand  to  warfighters,  poli¬ 
cy  makers,  and  support  person¬ 
nel.  The  GIG  includes  all  owned 
and  leased  communications  and 
computing  systems  and  ser¬ 
vices,  software  (including  appli¬ 
cations),  data,  security  services, 
and  other  services  necessary  to 
achieve  information  superiority. 
It  provides  capabilities  from  all 


The  Watch  Officer  in  the  Pacific  Command 
Theater  C4ISR  Coordination  Center  (TCCC)  during 
the  Y2K  rollover. 

operating  locations,  including 
bases,  posts,  camps,  stations,  fa¬ 
cilities,  mobile  platforms,  and 
deployed  sites. 

The  GIG  initiative  is  divided 
into  three  “thrust”  areas:  re¬ 
sourcing  the  enterprise,  aligning 
the  technology  base,  and  enter¬ 
prise  operations.  Enterprise  op¬ 
erations  are  composed  of  com¬ 
puting  and  communications 
(networks,  computing,  and  in¬ 
teroperability)  and  enterprise 
management  (network  manage¬ 
ment,  information  dissemina¬ 
tion  management,  and  informa¬ 
tion  assurance).  Guidance  and 
policy  memorandums  have 
been  created  for  each  of  the 
three  thrust  areas. 


Network  Operations 

Network  operations  (NET- 
OPS)  is  a  Joint  Chiefs  of  Staff 
(JCS)  C4  (JCS/J6)  initiative  to 
institutionalize  networks  as  a 
warfighting  resource  under 


CINC  combatant  command  au¬ 
thority.  At  its  heart  is  an  organi¬ 
zational,  procedural,  and  tech¬ 
nological  construct  for  ensuring 
information  superiority  and  en¬ 
abling  speed  of  command  for 
the  warfighter.  NETOPS  will  link 
widely  dispersed  network  opera¬ 
tions  centers  through  a  com¬ 
mand  and  organizational  rela¬ 
tionship;  establish  joint  tactics, 
techniques,  and  procedures  to 
ensure  a  joint  procedural  con¬ 
struct;  and  establish  a  technical 
framework  to  create  a  common 
network  picture  for  the  Joint 
Force  Commander.  Functional¬ 
ly,  NETOPS  is  a  theater-wide  ap¬ 
proach  to  providing  assured  net¬ 
work  access,  assured  infor¬ 
mation  and  network  protection, 
and  assured  information  deliv¬ 
ery  at  the  strategic,  operational, 
and  tactical  levels  through  a  co¬ 
evolution  of  doctrine,  processes, 
and  technology.  The  goals  of 
JCS/J6  NETOPS  are  as  follows™ 

•  Establish  C4I  network  man¬ 
agement  and  network 
defense  as  ongoing  military 
operations 

•  Provide  the  unified  CINCs 
with  network  situational 
awareness 

•  Implement  control  and  man¬ 
agement  capabilities  that 
achieve  end-to-end  distrib¬ 
uted  control  while  providing  a 
common  view  and  joint  use  of 
network  management  infor¬ 
mation 

•  Implement  positive  control 
over,  and  security  of,  net¬ 
works  through  a  network 
operations  hierarchy 

•  Provide  the  unified  CINCs 
with  authoritative  direction 
over  network  resources,  in 
coordination  with  Defense 
Information  Systems  Agency 
(DISA)  and  the  Service 
Components  of  the  Unified 


© 


Number  4 


Command,  as  a  function  of 

the  GIG. 

Theater  Network  Operations 
is  the  ASD/C3I  and  JCS/J6  pilot 
program  established  to  develop 
the  organizational,  procedural, 
and  technological  construct  for 
implementing  NETOPS  across 
the  U.S.  Pacific  Command  (US- 
PACOM)  area  of  operations.  The 
implementation  of  NETOPS  at 
USPACOM  is  already  providing 
lessons  concerning  the  pro¬ 
posed  constructs,  it  will  also  as¬ 
sist  in  determining  resource  im¬ 
plications  for  managing  the 
operational  environment  in  this 
manner,  with  an  eye  to  applying 
similar  concepts  and  lessons 
across  DoD.  A  primary  goal  of 
USPACOM  NETOPS  is  to  opera¬ 
tionalize  and  professionalize  the 
network  by  using  a  tiered  com¬ 
mand  relationship  within  the 
combatant  commander’s  The¬ 
ater  Information  Grid  (TIG) . 

NETOPS  Functional 
Elements 

Network  operations  is  defined 
as  the  ability  to  monitor,  coordi¬ 
nate,  manage,  and  control  the 
GIG  through  a  three-tiered  com¬ 
mand  hierarchy.  It  comprises 
three  mission  areas:  telecom¬ 
munications  network  manage¬ 
ment  (TNM),  for  assured  net¬ 
work  availability;  information 
assurance  (IA),  for  assured  in¬ 
formation  protection;  and  infor¬ 
mation  dissemination  manage¬ 
ment  (IDM),  for  assured 
information  delivery  to  the  right 
person,  at  the  right  place,  at  the 
right  time.  This  comprehensive 
ability  will  manifest  itself  in  an 
organizational,  procedural,  and 
technological  framework  that  al¬ 
lows  the  CINC  J6  to  effectively 
execute  CINC  priorities  while 
fulfilling  tasks  identified  to  sus¬ 
tain  the  GIG. 


lAnewsletter  •  Volume  3, 


http://iac.dtic.mil/iatac 


Telecommunications 

Network 

Management  (TNM) 

TNM  includes  the  range  of 
transmission  systems,  wired 
and  wireless,  that  carry  voice, 
data,  and  video  throughout  the 
theater.  It  includes  switched  net¬ 
works,  Internet  Protocol  (IP) 
based  data  networks,  video  tele¬ 
conferencing  (VTC)  networks, 
satellite  communications  (SAT- 
COM)  networks,  wireless  net¬ 
works,  and  intelligence  commu¬ 
nity  networks  that  support 
intelligence,  surveillance,  and 
reconnaissance  functions.  The 
major  components  of  TNM  are 
network  management,  SATCOM 
management,  and  frequency 
spectrum  management. 

•  Network  management  com¬ 
prises  all  measures  necessary 
to  ensure  the  effective  and 
efficient  operation  of  net¬ 
worked  systems.  The  goal  of 
network  management  is  to 
provide  the  services  and 
applications  of  a  networked 
system  with  the  desired  level 
of  quality  and  to  guarantee 
availability  and  a  rapid,  flexi¬ 
ble  deployment  of  networked 
resources.  Network  manage¬ 
ment  comprises  the  functions 
of  fault,  configuration, 
accounting,  performance,  and 
security  (FCAPS)  manage¬ 
ment. 

•  SATCOM  management  is  the 
day-to-day  management  of  all 
apportioned  and  nonappor- 
tioned  SATCOM  resources, 
including  appropriate  support 
when  disruption  of  service 
occurs. 

•  Frequency  spectrum  manage¬ 
ment  ensures  that  the  CINC 
and  subordinate  commanders 
have  cognizance  over  all  spec¬ 
trum  management  decisions 
that  affect  the  area  of  opera¬ 
tions.  Spectrum  planning  and 


http://iac.dtic.mil/iatac 


management  involve  the  effi¬ 
cient  employment  of  the  elec¬ 
tromagnetic  spectrum, 

including  acquisition,  alloca¬ 
tion,  assignment,  protection, 
and  utilization  of  radio  fre¬ 
quency  resources.  This 
includes  cognizance  over  the 
automated  distribution  of 
management  products,  such 
as  the  Joint  Standard 
Operating  Instructions 

(JSOI).  This  function  is  per¬ 
formed  by  all  military 
Services,  sub-unified  com¬ 
mands,  and  JTFs.  Planning  at 
the  installation  level  at  over¬ 
seas  locations  frequently 
includes  host  nation  coordina¬ 
tion. 

Information 
Assurance  0A) 

IA  capabilities  help  ensure 
the  availability,  integrity,  identi¬ 
fication,  authentication,  confi¬ 
dentiality,  and  nonrepudiation 
of  friendly  information  and  in¬ 
formation  systems  while  deny¬ 
ing  the  adversary  access  to  the 
same  information  and  systems. 
These  capabilities  reside 
throughout  the  TIG.  As  a  subset 
of  Defensive  Information  Oper¬ 
ations  (DIO),  IA  includes  pro¬ 
viding  for  restoration  of  infor¬ 
mation  systems  by 

incorporating  protection,  detec¬ 
tion,  and  response  capabilities. 
Protection  capabilities  include 
communications  security 
(COMSEC),  computer  security 
(COMPUSEC),  and  information 
security  (INFOSEC)  devices 
such  as  network  guards  and  fire¬ 
wall  systems  that  are  used  by  all 
transport  and  service  providers 
in  the  theater.  Detection  in¬ 
cludes  the  ability  to  sense  ab¬ 
normalities  in  the  network 
through  use  of  intrusion  detec¬ 
tion  systems.  Timely  attack  de¬ 
tection  is  key  to  initiating  net¬ 


I  Ane  w  sle  tte  r 


work  restoration  and  response 
capabilities.  Response  incorpo¬ 
rates  restoration  as  well  as  other 
information  operations  re¬ 
sponse  processes.  Capability 
restoration  relies  on  established 
mechanisms  for  prioritized 
restoration  of  the  minimum  es¬ 
sential  networks. 

Information 
Dissemination 
Management  (IDM) 

IDM  provides  the  right  infor¬ 
mation,  at  the  right  place,  at  the 
right  time,  in  accordance  with 
the  commander's  policies  and 
optimizing  use  of  information 
infrastructure  resources.  It  is  a 
subset  of  information  manage¬ 
ment  that  addresses  awareness 
of,  access  to,  and  delivery  of  in¬ 
formation.  IDM  involves  the 
safeguarding,  compilation,  cata¬ 
loging,  storage,  distribution,  and 
retrieval  of  data;  manages  infor¬ 
mation  flow  to  users;  and  en¬ 
ables  execution  of  the  comman¬ 
der's  information  policy. 

IDM  divides  information  into 
two  types;  planning  and  sur¬ 
vival.  Planning  information  is 
used  to  determine  future  action 
and  is  generally  not  time  sensi¬ 
tive.  It  is  used  by  planners  and 
decision  makers  throughout  the 
battlespace  and  is  normally 
stored  in  databases,  Web  pages, 
or  files.  Survival  information  is 
extremely  time  sensitive  and  re¬ 
quires  immediate  action,  such 
as  attacking  the  enemy,  avoid¬ 
ing  attack,  and  preventing  fratri¬ 
cide.  Survival  information  is 
normally  forwarded  over  tacti¬ 
cal  networks  and  datalinks  to 
tactical  commanders  and  indi¬ 
vidual  weapon  systems. 

NETOPS  prescribes  a  tiered 
organizational  task  structure 
corresponding  to  the  levels  of 
war  established  in  the  Universal 
Joint  Task  List  (UJTL);  National, 


•  Volume  3,  Number  4  ”7 


Theater,  Operational,  and  Tacti¬ 
cal.  This  approach  provides  a 
network  C2  structure  that  corre¬ 
sponds  to  existing  C2  structures 
for  operational  forces  in  the  the¬ 
ater.  However,  the  following 
core  capabilities  should  exist  at 
each  level:  a  C2  capability  that 
can  respond  to  and  report  net¬ 
work  outages  and  attacks;  the 
ability  to  operate  and  manage 
the  information  transport  infra¬ 
structure;  the  ability  to  operate 
and  manage  information  flow; 
and  the  ability  to  operate  and 
manage  information  and  net¬ 
work  defense  systems. 

NETOPS 

Implementation 

4 Information  is  like  eggs ,  the 
fresher  the  better. " 

—General  George  S.  Patton 
“The  central  problem  is  not 
collecting  and  transmitting  in¬ 
formation,  but  synthesizing  it 
for  the  decision  maker  ” 

—Richard  Burt,  former  Ambassador 
to  West  Germany  and  former 
Assistant  Secretary  of  State  for 
Europe 

Approach 

USPACOM  NETOPS  imple¬ 
mentation  is  based  on  a  spiral, 
phased  development  approach 
with  three  planning  horizons: 
near-term,  mid-term,  and  far- 
term.  Near-term  planning  focus¬ 
es  on  achieving  essential  opera¬ 
tional  capabilities  (i.e.,  the 
ability  to  perform  today’s  mis¬ 
sion  to  support  the  CINC  and 
JTF  commanders) .  Tasks  in  this 
planning  phase  are  stop-gap 
measures  to  obtain  situational 
awareness  over  the  theater  in¬ 
formation  grid  and  to  imple¬ 
ment  a  command  relationship 
over  subordinate  network  oper¬ 
ations  centers.  Mid-term  plan¬ 
ning  focuses  on  achieving  the 
desired  operational  capabilities 
described  in  Joint  Vision  2010 


Information  Transport  and  Pro¬ 
cessing.  This  phase  employs  a 
network-centric  approach  to 
bring  together  the  disparate 
technologies  and  capabilities  in 
a  coordinated  manner.  Far-term 
planning  aims  to  achieve  Revo¬ 
lution  in  Military  Affairs  (RMA) 
related  capabilities  and  focuses 
on  current  Defense  Advanced 
Research  Projects  Agency 
(DARPA)  technology  and 
planned  process  reengineering 
to  create  an  enterprise-wide  net¬ 
work  operations  and  security  ca¬ 
pability.  The  goal  is  a  knowl¬ 
edge-centric  capability  that  will 
allow  the  CINC  to  command  the 
TIG.  Implementation  of  PACOM 
Theater  Network  Operations 
links  near-term  essential  opera¬ 
tional  needs  to  far-term  future 
operational  capabilities  in  each 
of  the  NETOPS  functional  areas: 
telecommunications  network 
management,  information  as¬ 
surance,  and  information  dis¬ 
semination  management. 

Near-Term  Goals 
and  Objectives 

The  near-term  (0  to  18 
months)  goal  is  to  make  net¬ 
work,  IA,  and  information  appli¬ 
cation  status  visible  to  the  CINC. 
The  principal  focus  in  this  phase 
is  to  create  a  network  common 
operational  picture  (NETCOP) 
that  provides  end-to-end  visibili¬ 
ty  of  mission-critical  networks 
and  information  systems.  The 
near  term  phase  focuses  on  in¬ 
corporating  existing  organiza¬ 
tions  and  procedures  into  a  coor¬ 
dinated  theater-wide  capability. 
The  near  term  relies  heavily  on 
leveraging  existing  technologies 
(either  already  in  place  or  pro¬ 
grammed  for  fielding)  to  provide 
an  essential  operational  capabili¬ 
ty  within  an  18-month  planning 
horizon.  Near-term  objectives 
are  as  follows— 


•  Create  a  common  view  of  the¬ 
ater-wide  network,  I  A,  and 
application  (Global  Command 
and  Control  System  [GCCS]) 
status  through  a  NETCOP 
(Observe) 

•  Implement  the  ability  to 
quickly  understand  potential 
operational  impacts  of  net¬ 
work  outages,  degradations, 
and  attacks  through  a  TIG 
mission-critical  database 
(Orient) 

•  Develop  course-of-action 

techniques  to  aid  in  the  deci¬ 
sion-making  process 

(Decide) 

•  Institute  a  C2  mechanism  to 
coordinate  theater-wide  re¬ 
sponse  to  network  outages, 
degradations,  and  attacks 

(Act). 

Mid-Term  Goals 
and  Objectives 

Mid-term  (0  to  36  month) 
goals  are  to  implement  the  de¬ 
sired  operational  capabilities  es¬ 
tablished  by  Joint  Vision  2010: 
defend  against  information  as¬ 
surance  (IA)  threats;  provide  the 
warfighter  with  a  flexible,  adapt¬ 
able  network  for  transmitting 
and  receiving  the  right  volume 
of  information  at  the  right  time 
and  the  right  place  (TNM);  and 
manage  an  assured,  real-time, 
scalable  information  flow 
throughout  the  infrastructure 
(IDM).  The  aim  is  to  create  a 
network-centric  infrastructure 
that  uses  interoperable  network 
and  information  management 
and  protection  tools  and  em¬ 
ploys  standard  processes  to  en¬ 
able  near-real-time  collaboration 
and  response  capabilities.  Mid¬ 
term  objectives  are  as  follows — 

•  Create  an  integrated  view  of 
network,  IA,  and  C2  applica¬ 
tion  status  through  the  inte¬ 
grated  NETCOP  (I-NETCOP) 
(Observe) 


Anewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


•  Link  the  TIG  mission-critical 
systems  database  to  I-NET- 

COP  (Orient) 

•  Develop  semi-automated 
course-of-action  decision-sup¬ 
port  tools  to  decrease  decision 
time  and  increase  decision 
accuracy  (Decide) 

•  Implement  a  virtual  collabo¬ 
ration  capability  linking  geo¬ 
graphically  dispersed  network 
managers  to  decrease  imple¬ 
mentation  time  (Act) . 

Far-Term  Goals 
and  Objectives 

Far-term  (0  to  60  month)  goals 
are  to  implement  future  opera¬ 
tional  capabilities  that  enable 
knowledge-centric  enterprise  in¬ 
formation  management  and  pro¬ 
tection  capability  across  the  the¬ 
ater.  This  capability  includes 
seamless  and  interoperable  net¬ 
work,  I  A,  and  information  visi¬ 
bility  using  standardized  tools 
and  enterprise-level  processes. 
The  ability  to  command  the  the¬ 
ater  information  grid  is  predicat¬ 
ed  on  the  ability  to  merge  plan¬ 
ning  and  survival  information 
management  through  an  enter¬ 
prise-wide  network  and  informa¬ 
tion  management  system.  Far- 
term  objectives  are  as  follows— 

•  Create  an  integrated  view  of 
network,  IA,  application,  and 
operational  (GCCS)  status  that 


is  scalable  and  accessible 
across  the  theater  at  all  eche¬ 
lons  (Observe  and  Orient) 

•  Integrate  automated  course-of- 
action  decision-support  tools 
and  virtual  collaboration  sys¬ 
tems  to  support  a  near-real¬ 
time  analysis  and  collabora¬ 
tion  capability  (Decide  and 
Act). 

Conclusion 

“All  successfully  adapting  sys¬ 
tems  have  something  in  com¬ 
mon:  they  transform  apparent 
noise  into  meaning  faster  than 
apparent  noise  comes  at  them.  ” 

—Stephan  Haeckel,  Director  of 
Strategic  Studies,  IBM  Advanced 
Business  Institute 

The  ability  to  implement  a 
joint  communications  grid  with 
adequate  capacity,  resilience, 
and  network  management  capa¬ 
bilities  to  support  the  opera¬ 
tional  concepts  of  Joint  Vision 
2010  is  key  to  achieving  informa¬ 
tion  superiority.  As  recent  oper¬ 
ations  in  the  Middle  East  (Desert 
Fox),  Europe  (Kosovo),  and  the 
Pacific  have  demonstrated,  the 
lack  of  real-time  visibility  and 
control  of  networks,  manual  and 
latent  network  management  ca¬ 
pabilities,  and  a  fragmented  IA 
architecture  have  emerged  as 
significant  operational  chal¬ 
lenges  to  support  of  the  warfight¬ 


er.  NETOPS  is  an  attempt  to  pro¬ 
vide  organizational,  procedural, 
and  technological  solutions  to 
these  challenges,  in  order  to 
achieve  information  superiority. 

The  basic  goal  of  NETOPS  is  to 
improve  overall  performance 
through  more  timely  reporting 
and  responses  to  network  attacks 
and  failures,  enhanced  situation¬ 
al  awareness  of  network  and  IA 
status,  and  improved  decision 
making.  These  collective  im¬ 
provements  should  increase  the 
effectiveness,  efficiency,  and  ro¬ 
bustness  of  the  GIG.  NETOPS 
will  ensure  greater  coordination, 
management,  and  control  capa¬ 
bilities  that  will  allow  end-to-end 
distributed  control  while  provid¬ 
ing  a  common  view  and  joint  use 
of  theater  information  process¬ 
ing  and  transport  assets. 


Brigadier  General  (P)  James  D.  Bryan 
is  the  Commander,  JTF-CND  and  Vice 
Director  for  D1SA.  He  was  most  recently 
Director  for  Command,  Control, 
Communications  and  Computer  Systems, 
USPACOM,  Camp  H.  M.  Smith,  Hawaii. 
He  graduated  from  Jacksonville  State 
University  with  a  B.S.  in  Education  and 
was  commissioned  as  a  Second  Lieutenant 
in  the  Regular  Army.  He  earned  his 
Master  of  Adult  Education  degree  from 
North  Carolina  State  University  and  was 
inducted  into  the  Phi  Kappa  Phi  National 
Academic  Honor  Society. 

Patrick  Gorman  is  a  Program  Manager 
for  the  Pacific  Network  Operations  initia¬ 
tive  at  Camp  H.M.  Smith,  Hawaii.  He 
graduated  with  a  B.A.  from  the  University 
of  Maryland  and  an  M.A.  from  the  George 
Washington  University.  He  may  be 
reached  at  gorman_patrick@bah.com 

Endnote 

1.  Statement  before  the  Senate  Armed 
Services  Committee  Subcommittee 
on  Emerging  Threats  and 

Capabilities:  Information  Warfare 
and  Critical  Infrastructure 
Protection. 


lAnewsletter 


9 


http://iac.dtic.mil/iatac 


Volume  3,  Number  4 


<3  10 


A  Retrospective  on 
Computer  Network  Defense 


Major  General  John  Campbell,  USAF 
Central  Intelligence  Agency 


I  recently  relinquished  com¬ 
mand  of  the  Joint  Task 
Force-Computer  Network  De¬ 
fense  (JTF-CND)  to  Brigadier 
General  (P)  James  D.  Bryan, 
U.S.  Army.  Daves  dual  assign¬ 
ment  as  CJTF-CND  and  Vice 
Director  for  the  Defense  Infor¬ 
mation  Systems  Agency  (DISA) 
follows  his  most  recent  assign¬ 
ment  as  the  J6  for  U.S.  Pacific 
Command  (PACOM).  With  his 
communications  background 
and  recent  experience  in  a 
command  with  one  of  the  most 
active  information  assurance 
(IA)  programs  in  the  Depart¬ 
ment  of  Defense  (DoD),  Dave 
is  exactly  the  right  person  to 
take  command  of  the  JTF-CND. 
As  I  leave,  I  thought  it  would  be 
worthwhile  to  share  some  of 
my  observations  about  where 
we've  been,  where  we  are,  and 
where  we  need  to  go  to  contin¬ 
ue  to  strengthen  DoD's  cyber 
defenses. 

We  have  made  some  real 
progress  in  the  past  2  years.  To 
use  a  tired  metaphor,  the  glass 
is  definitely  more  than  half  full; 
but  the  empty  part  represents  a 
significant  challenge.  Although 
I  am  convinced  that  the  real 
threat  we  must  prepare  for  re¬ 
mains  the  organized,  struc¬ 
tured,  well-resourced  state- 
sponsored  attacker,  it  is  clear 
that  the  danger  from  the  indi¬ 
vidual  hacker  is  increasing  and 
represents  a  real  concern  for 
the  security  of  DoD  networks. 
We  are  increasingly  seeing  so¬ 


lAnewsletter  •  Volume 


phisticated  tools  and  tech¬ 
niques  that  can  not  only  cause 
significant  damage  in  their  own 
right  but  also  cause  us  to  adopt 
defensive  measures  that 
amount  to  self-inflicted  denial 
of  increasingly  critical  network 
services. 

I  would  like  to  take  a  mo¬ 
ment  to  look  back  at  some  key 
events  that  have  shaped  DoD's 
approach  to  this  mission  area 
and  at  some  of  the  significant 
decisions  resulting  from  those 
events.  For  good  or  bad,  we 
have  made  progress  in  DoD, 
primarily  when  events  have 
demonstrated  that  a  serious 
threat  exists.  But  even  in  these 
cases,  progress  has  not  come 
easily.  Determined  leadership 
by  a  few  key  individuals— most 
of  all,  former  Deputy  Secretary 
of  Defense  (DEPSECDEF)  John 
Hamre— has  helped  us  over¬ 
come  organizational  inertia 
and  institutional  bias,  which 
have  slowed  development  of  an 
effective  DoD-wide  defensive 
structure. 

Watershed  Events 

Although  our  cyber  vulnera¬ 
bilities  had  been  recognized  be¬ 
fore,  exercise  ELIGIBLE  RE¬ 
CEIVER  97  (ER97)  in  June  1997 
clearly  demonstrated  our  lack 
of  preparation  for  a  coordinated 
cyber  and  physical  attack  on 
our  critical  military  and  civil 
infrastructures.  The  timing  of 
ER97  resulted  in  incorporation 
of  many  of  its  observations  into 
the  October  1997  Report  of  the 
President’s  Commission  on 
Critical  Infrastructure  Protec¬ 


3,  Number  4 


tion  (PCCIP) .  This  report  recog¬ 
nized  the  growing  vulnerabili¬ 
ties  of  the  nation's  critical  in¬ 
frastructures,  including  tele¬ 
communications,  banking, 
transportation,  and  govern¬ 
ment  services.  The  PCCIP  re¬ 
port  also  influenced  the  devel¬ 
opment  of  Presidential  De¬ 
cision  Directive  63  (PDD-63)  in 
May  1998.  PDD-63  set  goals  for 
securing  the  national  infra¬ 
structure,  established  a  nation¬ 
al  structure  to  manage  chal¬ 
lenges,  recommended  a  nation¬ 
al  center  to  “warn  of  and  re¬ 
spond  to  attacks,”  required  the 
Government  to  serve  as  the 
model,  and  sought  voluntary 
private-sector  participation  in 
critical  infrastructure  protec¬ 
tion. 

The  observations  of  ER97 
and  the  PCCIP  were  reinforced 
in  February  1998  when  a  series 
of  cyber  intrusions  called  Solar 
Sunrise  generated  significant 
concern  about  the  security  of 
DoD's  networks.  Although 
these  intrusions  were  eventual¬ 
ly  traced  to  teenage  hackers  in 
northern  California,  Solar  Sun¬ 
rise  clearly  demonstrated  the 
reality  of  what  previous  exer¬ 
cises  and  studies  had  predicted. 
Most  important,  Solar  Sunrise 
clearly  demonstrated  that  we 
had  not  answered  the  basic 
question  “Who's  in  charge  of 
the  defense  of  DoD  networks 
and  systems?” 

Several  significant  decisions 
resulted  from  these  events.  In 
the  interagency  arena,  PDD-63 
laid  the  foundation  for  the  for¬ 
mation  of  the  National  Infra¬ 


http  ://iac.  dtic.mil/iatac 


structure  Protection  Center 
(NIPC).  NIPC  is  sponsored  by 
the  Department  of  Justice 
(DOJ)  and  the  Federal  Bureau 
of  Investigation  and  includes 
representatives  of  DoD  and 
other  departments  of  the  Fed¬ 
eral  Government.  Although  the 
NIPC  has  received  some  criti¬ 
cism  for  its  law  enforce¬ 
ment-centric  approach,  DOJ 
deserves  credit  for  stepping  up 
to  the  plate  and  sponsoring  this 
badly  needed  capability.  On 
the  DoD  side,  staffing  originat¬ 
ing  with  the  ER97  observations 
and  reinforced  by  the  Solar 
Sunrise  activities,  culminated, 
in  December  1998,  in  a  recom¬ 
mendation  by  the  Chairman  of 
the  Joint  Chiefs  of  Staff  (CJCS), 
approved  by  the  Secretary  of 
Defense  (SECDEF) ,  to  establish 
the  JTF-CND.  The  SECDEF 
charter,  signed  December  4, 
1998,  tasked  the  JTF-CND  with 
“coordinating  and  directing  the 
defense  of  DoD  computer  sys¬ 
tems  and  computer  networks.” 
The  JTF  opened  its  doors  in 
December  1998  and  achieved 
full  operational  capability  in 
June  1999.  While  the  JTF  is 
physically  located  at  DISA 
headquarters  and  DISA  pro¬ 
vides  significant  logistical  and 
technical  support,  DISA  is  not 
in  the  JTF  chain  of  command. 

It  is  important  to  recognize 
that  the  JTF-CND  was  designed 
originally  as  a  “gap  filler”  orga¬ 
nization,  that  is,  to  quickly  field 
a  DoD  defensive  capability 
pending  thorough  staffing,  via 
the  Unified  Command  Plan 
(UCP)  process,  of  the  proper 
long-term  responsibility  for 
CND.  As  most  know,  UCP99  as¬ 
signed  the  CND  mission,  effec¬ 
tive  October  1999,  to  the  U.S. 
Space  Command  (USSPACE- 
COM).  Several  organizational 
constructs  were  considered  in 


http://iac.dtic.mil/iatac 


building  the  USSPACECOM 
CND  implementation  plan. 
The  Commander  in  Chief,  U.S. 
Space  Command  (CINCSPACE 
eventually  decided  to  retain  the 
JTF-CND  as  his  operational 
command  for  CND  while  build¬ 
ing  a  long-term  robust  CND  ca¬ 
pability  at  Colorado  Springs  to 
perform  strategic  planning, 
analysis,  and  resource  func¬ 
tions.  It  is  worth  noting  that  the 
JTF  headquarters  has  relatively 
little  organic  capability,  with 
only  24  authorized  positions. 
We  perform  our  mission  by 
leveraging  the  capabilities  of 
our  components:  the  DISA 
Global  Network  Operations  and 
Security  Center  (GNOSC),  the 
DoD  Computer  Emergency  Re¬ 
sponse  Team  (CERT),  and  our 
four  service  components.  The 
components  provide  the  real 
capability  for  reporting,  analy¬ 
sis,  and  execution  of  remedial 
actions.  Additionally,  the  aug¬ 
mentation  provided  to  our  in¬ 
telligence  and  law  enforcement 
sections  has  significantly  im¬ 
proved  our  capabilities.  Recog¬ 
nizing  the  significant  activity 
under  way  at  USSPACECOM 
headquarters,  I  would  like  to 
briefly  discuss  the  progress  of 
the  JTF-CND  and  offer  some 
observations  about  the  state  of 
the  CND  mission. 

Successes 
JTF-CND  provided  DoD  with 
a  focal  point  for  dealing  with 
cyber  threats  and  answered  the 
“Who's  in  charge?”  question. 
During  the  Melissa  virus  inci¬ 
dent  in  March  1999,  the  JTF- 
CND,  in  cooperation  with  the 
DoD  CERT  was  able  to  quickly 
assess  the  threat,  develop  a  de¬ 
fensive  strategy,  and  direct  ap¬ 
propriate  defensive  actions. 
Where  damage  to  the  private 
sector  totaled  in  the  hundreds 


IA  newsletter 


of  millions  of  dollars,  DoD  ex¬ 
perienced  relatively  little  effect 
and  no  operational  impact. 
After  USSPACECOM's  assump¬ 
tion  of  command  of  the  CND 
mission,  two  other  events 
demonstrated  the  value  of  cen¬ 
tralized  responsibility  and  au¬ 
thority.  The  February  2000  Dis- 


•  Volume  3,  Number  4  11  ► 


tributed  denial-of-service 
(DDOS)  attack,  which  by  most 
estimates  slowed  the  Internet 
by  20  percent  and  shut  down  a 
number  of  the  most  popular  In¬ 
ternet  sites,  including  Yahoo,  E- 
Bay,  among  others,  and  the 
May  2000  Loveletter  worm,  esti¬ 
mated  to  have  cost  billions 
worldwide.  These  attacks  vivid¬ 
ly  demonstrate  the  increasing 
ability  of  an  individual  hacker 
to  cause  significant  damage  to 
the  worldwide  cyber  infrastruc¬ 
ture.  In  the  case  of  the  DDOS 
event,  DoD  was  not  directly  tar¬ 
geted,  but  the  organization  we 
have  developed  allowed  us  to 
maintain  situational  awareness 
of  the  attacks’  progress  and  to 
ensure  that  we  understood  the 
status  of  DoD  systems.  In  the 
case  of  Loveletter,  although  we 
were  initially  caught  off  guard 
by  the  speed  of  the  developing 
attack,  we  were  able  to  provide 
CINCSPACE  with  an  assess¬ 
ment  of  the  situation  and  to  di¬ 
rect  proper  remedial  actions  to 
minimize  damage  to  DoD.  In 
this  case,  as  in  the  Melissa  inci¬ 
dent,  DoD  suffered  no  opera¬ 
tional  impact,  although  signifi¬ 
cant  numbers  of  DoD  users 
suffered  self-inflicted  denial  of 
service  because  of  initial  ac¬ 
tions,  including  disabling  E- 
mail  services  and  disconnect¬ 
ing  from  the  Internet.  The 
Melissa ,  DDOS,  and  Loveletter 
incidents  clearly  demonstrate 
the  increasing  threat  that  indi¬ 
vidual  hackers  represent  to 
DoD’s  business  processes  and 
even  its  command  and  control 
systems. 

In  consideration  of  this 
threat  environment,  I  would 
like  to  offer  some  thoughts  on 
the  current  state  of  CND  and 
where  we  need  to  improve. 


12  lAnewsletter  •  Volume 


CfUD  Is  a 
Partnership 
Effective  CND  must  be  a 
partnership  between  network 
operations,  law  enforcement, 
and  intelligence.  Before  1998, 
these  communities  operated  in¬ 
dependently,  with  little  strate¬ 
gic  perspective  or  coordination. 
The  formation  of  the  JTF-CND 
provided  a  nexus  for  coopera¬ 
tion  and  an  operational  focus, 
and  assignment  of  mission  re¬ 
sponsibility  to  CINCSPACE  fur¬ 
ther  emphasized  the  impor¬ 
tance  of  our  networks  as 
weapons  systems.  The  intelli¬ 
gence  and  law  enforcement 
communities  have  invested  sig¬ 
nificant  resources  in  the  CND 
mission,  and  the  command, 
control,  communications,  and 
computer  (C4)  community  is 
emphasizing  the  network  oper¬ 
ations  (NETOPS)  concept, 
which  gives  regional  warfight¬ 
ers  greater  visibility  and  con¬ 
trol  over  their  networks.  We 
need  to  make  sure  this  partner¬ 
ship  remains  balanced— too 
much  emphasis  on  one  area 
will  come  at  the  expense  of  oth¬ 
ers.  Within  the  JTF-CND,  we 
have  a  law  enforcement/coun- 
terintelligence  center,  which  is 
staffed  full-time  by  representa¬ 
tives  of  the  service  and  defense 
law  enforcement  organizations. 
We  also  maintain  a  robust  intel¬ 
ligence  section,  with  liaison  of¬ 
ficers  from  the  Defense  Intelli¬ 
gence  Agency  and  the  National 
Security  Agency  who  can  tap 
the  resources  of  the  intelli¬ 
gence  community.  These  re¬ 
sources  and  capabilities,  com¬ 
bined  with  the  NETOPS 
expertise  of  DISA's  Global  Net¬ 
work  Operations  and  Security 
Center  and  the  DoD  CERT,  give 
us  an  effective  CND  team. 


3,  Number  4 


Senior  Leadership 
Emphasis  Is  Critical 

Effective  CND  is  hard  work. 
It  requires  people  and  effort, 
and  competes  with  other  activ¬ 
ities.  In  this  process,  the  NE- 
TOPS/intelligence/law  en¬ 
forcement  team  will,  properly, 
respond  to  the  priorities  estab¬ 
lished  by  senior  leadership.  I 
am  encouraged  by  the  empha¬ 
sis  that  senior  uniformed  and 
civilian  leadership  of  the  de¬ 
partment— from  the  CJCS  and 
service  chiefs,  through  the  se¬ 
nior  communicators,  to  field 
commanders— are  placing  on 
such  things  as  Information  As¬ 
surance  Vulnerability  Alert 
(IAVA)  compliance  and  the  In¬ 
formation  Operations  Condi¬ 
tion  (INFOCON)  process.  As  an 
example,  the  Air  Force  now 
treats  network  incidents  like 
aircraft  accidents,  with  a  formal 
investigation  and  a  report  to 
the  responsible  commander. 
This  process  recognizes  the 
critical  nature  of  our  informa¬ 
tion  systems  by  treating  them 
like  other  weapons  systems 
and  providing  commanders 
with  the  same  degree  of  visibil¬ 
ity  and  control. 

The  Role  of  Law 
Enforcement  and 
Counterintelligence 

Law  enforcement  and  coun¬ 
terintelligence  have  critical 
roles  in  DoD’s  computer  net¬ 
work  defense.  Because  the  law 
assumes  that  an  intruder  into 
DoD  systems  is  a  U.S.  citizen 
and  is  entitled  to  the  rights  pro¬ 
vided  by  U.S.  law  and  the  Con¬ 
stitution,  almost  every  cyber 
incident  is  initially  investigated 
as  a  law  enforcement  problem. 
Although  this  does  not  prevent 
DoD  from  taking  aggressive  ac¬ 
tion  to  protect  its  networks  and 
systems,  it  does  limit  the  role  of 


http://iac.dtic.mil/iatac 


intelligence  agencies  and  re¬ 
quires  investigative  actions  to 
be  conducted  in  accordance 
with  the  laws  protecting  indi¬ 
vidual  rights.  This  makes  a 
close  relationship  with  the  law 
enforcement  community  very 
important  to  the  nations  over¬ 
all  CND  effort.  Recognizing  this 
need,  DoD’s  Defense  Criminal 
Investigative  Organizations  [Air 
Force  Office  of  Special  Investi¬ 
gations  (AFOSI),  National 
Crime  Intelligence  Service 
(NCIS),  Defense  Criminal  In¬ 
vestigative  Service  (DCIS),  U.S. 
Army  Criminal  Investigation 
Department  (USACID) ,  and 
U.S.  Army  Military  Intelligence 
(USAMI)]  volunteered  to  pro¬ 
vide  a  team  of  law  enforcement 
officers  and  counterintelli¬ 
gence  officers  to  staff  a  law  en¬ 
forcement/  counterintelligence 
center  at  JTF-CND  headquar¬ 
ters.  With  the  exception  of  one 
rotating  officer  who  acts  as  a  li¬ 
aison  to  the  CJTF,  the  law  en¬ 
forcement/counterintelligence 
team  members  report  individu¬ 
ally  to,  and  receive  direction 
from,  their  service  command 
structures  and  maintain  the 
confidentiality  required  by 
their  investigative  processes. 
The  Law  Enforcement/Coun- 
terintelligence  Center  allows 
us  to  coordinate  overall  activi¬ 
ty,  maintain  awareness  of  the 
progress  of  investigations,  and 
coordinate  activities  across 
multiple  services  and  agencies. 
The  law  enforcement  expertise 
that  these  officers  provide  also 
give  us  a  much  closer  relation¬ 
ship  with  NIPC  than  we  would 
otherwise  have  had.  The  law 
enforcement/ counterintelli¬ 
gence  relationship  is  one  of  the 
real  success  stories  of  the  past 
year. 


http://iac.dtic.mil/iatac 


The  Threat 
Environment 

The  most  recent  DDOS  and 
virus  incidents  are  a  ’’good 
news/bad  news"  story.  The  bad 
news  is  that  these  incidents 
happen,  and  they  are  incredi¬ 
bly  fast  and  destructive.  The 
good  news  is  that  we  have  a 
process  for  responding  to  such 
incidents  and  that  our  response 
is  improving.  Despite  the  good 
news,  we  need  to  take  several 
steps  to  better  position  our¬ 
selves  for  responding  to  fast¬ 
spreading  viruses  and  other  at¬ 
tacks. 

•  Early  Warning — We  need  an 
early-warning  network 
designed  to  detect  and  report 
events,  like  viruses,  that  are 
likely  to  "follow  the  sun"  or 
spread  westward  with  the 
workday.  One  way  to  do  this 
is  to  use  the  Y2K  model,  with 
organizations  in  the  western 
Pacific  and  Europe  acting  as 
the  early  warning  sensors. 
This  early  warning  capability 
will  provide  us  with  a  few 
hours  of  preparation  time 
before  the  start  of  the  busi¬ 
ness  day  in  the  continental 
United  States. 

•  Rapid  Notification — We 

need  a  way  of  rapidly  notify¬ 
ing  DoD  organizations  of  sig¬ 
nificant  cyber  events,  just  as 
we  do  for  other  time-sensi¬ 
tive  events.  A  quick-reaction 
teleconference  system  is 
probably  the  answer,  and  in 
fact,  USSPACECOM  is  devel¬ 
oping  such  a  process.  In  addi¬ 
tion,  if  we  are  to  be  prepared 
for  serious  virus  events,  we 
must  also  be  prepared  for 
some  false  alarms. 

•  Involving  the  Private 
Sector — We  need  to  involve 
the  private  sector  in  the  early 
warning  process.  Just  as  DoD 


lAnewsletter 


has  worldwide  organizations 
that  can  serve  as  early  warn¬ 
ing  sensors,  so  do  many  pri¬ 
vate  sector  organizations 
with  global  operations. 

•  Virus  Protection — We  need 
standard  virus  protection 
measures  that  we  can  invoke 
in  response  to  viruses.  One 
thing  we  should  not  do  is  pre¬ 
emptively  disconnect  E-mail 
systems  or  sever  access  to 
the  Sensitive  but  Unclassified 
Internet  Protocol  Router 
Network  (NIPRNET) . 

Because  more  and  more  of 
our  administrative  and  sup¬ 
port  systems  depend  on  E- 
mail  connectivity,  discon¬ 
necting  from  these  systems 
amounts  to  a  self-inflicted 
denial  of  service,  which 
should  be  used  only  in 
extremes. 

We  need  more  applications 
that  are  more  virus  resistant 
and  better  awareness  of  the 
virus  threat.  A  few  software  im¬ 
provements,  such  as  control¬ 
ling  mass  E-mailings,  would  go 
a  long  way  toward  preventing 
the  spread  of  viruses. 

Private  Sector 
Information  Sharing 
Government  and  the  private 
sector  need  the  ability  to  share 
information  about  ongoing  at¬ 
tacks,  system  status,  and  defen¬ 
sive  and  remedial  actions,  for 
several  reasons.  First,  we  need 
to  work  together  to  enable 
early  detection  of  viruses  and 
worms,  where  a  quick  reaction 
is  critical  to  damage  limitation. 
Second,  we  need  to  exchange 
information  in  order  to  assess 
the  scope  and  intent  of  a  cyber 
attack.  ER97  demonstrated  the 
interrelated  nature  of  the  infra¬ 
structures  of  DoD  and  the  pri¬ 
vate  sector.  We  need  to  be  able 
to  rapidly  understand  the  “big 


*  Volume  3,  Number  4  13^ 


picture,”  spanning  both  the  fed¬ 
eral  and  the  private  sectors. 
Third,  DoD  shares  common 
systems  and  common  vulnera¬ 
bilities  with  the  private  sector, 
including  an  increasing  reliance 
on  Web-based  communications 
and  commercial  software  sys¬ 
tems.  Finally,  we  in  DoD  must 
be  able  to  pool  resources  with 
the  private  sector  to  develop  de¬ 
fenses  when  a  cyber  event  oc¬ 
curs.  The  Information  Sharing 
and  Analysis  Center  (ISAC)  con¬ 
cept  laid  out  in  the  national 
PPCIP  plan  is  a  start;  today  we 
have  ISACs  for  banking  and  fi¬ 
nance  and  telecommunications, 
and  we  are  developing  close  bi¬ 
lateral  relationships  with  them. 
But  ISACs  are  needed  for  all  the 
critical  infrastructure  sectors, 
with  an  aggressive  information¬ 
sharing  process  through  the 
NIPC.  Some  new  legal  protec¬ 
tion,  like  that  provided  for  the 
Year  2000  (Y2K)  rollover,  may 
be  required  for  the  participating 
ISAC  members.  There  is  legisla¬ 
tion  pending  that  would  provide 
this. 

CWD  versus  CMA 
As  we  allocate  scarce  re¬ 
sources  between  computer  net¬ 
work  attack  (CNA)  and  CND,  we 
need  to  ensure  we  tackle  the  ba¬ 
sics  first.  While  CNA  holds  out 
great  long-term  possibilities,  we 
need  to  get  the  CND  piece  right 
first.  My  reason  for  this  view¬ 
point  is  twofold.  First,  while  we 
can  pick  the  time  and  place  for 
execution  of  CNA,  we  have  to 
protect  our  networks,  across  the 
Defense  Information  Infrastruc¬ 
ture  (DII),  all  the  time.  Second, 
the  consequences  of  failure  are 
greater  for  CND  than  for  CNA. 
Today,  CNA  is  a  marginal,  albeit 
growing,  capability,  and  the  fail¬ 
ure  to  execute  it  well,  or  at  all, 
will  not  be  a  deciding  factor  in 


the  next  conflict.  However,  our 
ability  to  mobilize,  deploy,  and 
employ  our  combat  forces  de¬ 
pends  on  the  computer  net¬ 
works  of  the  DII.  Command  and 
control,  logistics,  transportation, 
medical,  personnel,  and  general 
administrative  and  support  sys¬ 
tems  depend  on  the  connectivi¬ 
ty  provided  by  the  DII  net¬ 
works.  Failure  to  defend  them 
carries  the  risk  that  we  will  not 
be  able  to  get  our  forces  to  the 
fight,  employ  them  once  they 
are  engaged,  or  support  them  in 
the  field. 

That  said,  CND  and  CNA  are 
inextricably  related,  and  to  do 
either  well  requires  an  apprecia¬ 
tion  of  the  other.  Therefore,  I  be¬ 
lieve  it  is  important  to  maintain 
a  close  relationship  between 
these  areas.  First,  the  tech¬ 
niques  we  use  as  offensive  tools 
may  someday  be  used  against 
us,  so  offense  and  defense  must 
be  coordinated.  We  can  do  a  bet¬ 
ter  job  of  defense  if  the  defend¬ 
ers  understand  offensive  tools 
and  techniques.  In  addition,  we 
eventually  will  need  to  expand 
our  defensive  capabilities  to  in¬ 
clude  active  defense,  or  coun¬ 
teroffensive  tools  capable  of  tak¬ 
ing  the  fight  back  to  the  attacker. 
Today,  legal  and  policy  restric¬ 
tions  limit  our  ability  to  use 
even  the  limited  technical  capa¬ 
bilities  we  possess,  but  eventual¬ 
ly,  as  those  capabilities  improve, 
we  will  need  a  commensurate 
operational  command  and  con¬ 
trol  structure,  and  an  appropri¬ 
ate  legal  and  policy  environ¬ 
ment. 

Policy  and  Regulatory 
Requirements 

The  legal  and  policy  environ¬ 
ment  in  which  we  operate  is 
complex  and  constantly  evolv¬ 
ing.  Lt  Col  Charlie  Williamson, 
my  Staff  Judge  Advocate,  re¬ 


cently  published  an  article  in 
the  lAnewsletter  (Volume  3, 
Number  1)  that  provides  a  good 
overview  of  this  sensitive  area. 
Some  imperatives  are  immedi¬ 
ately  obvious.  First,  we  need  in¬ 
ternational  agreements  for  ex¬ 
peditious  pursuit  of  those  who 
have  violated  the  law.  Second, 
we  need  authorities  to  allow  law 
enforcement  agencies  to  rapidly 
conduct  electronic  surveillance 
of  those  involved  in  cyber  at¬ 
tacks.  We  also  need  legislation 
to  encourage  information  shar¬ 
ing  between  the  Federal  Gov¬ 
ernment  and  the  private  sector, 
in  particular  to  protect  propri¬ 
etary  information  and  shield 
sensitive  information  from 
Freedom  of  Information  Act 
(FOIA)  requests.  Finally,  in 
DoD,  we  need  to  work  with  the 
policy  and  legal  process  to  se¬ 
cure  a  more  active  electronic 
defense,  including  appropriate 
rules  of  engagement.  We  have 
been  actively  involved  in  dis¬ 
cussions  with  DOJ  since  ER97, 
and  several  legislative  initiatives 
are  on  the  Hill  today,  so  we  are 
making  progress,  but  slowly. 

Common  Operational 
Picture  (COP) 

As  we  operationalize  and  nor¬ 
malize  CND,  we  will  have  an  in¬ 
creasing  need  to  provide  the 
warfighter  with  a  real-time  pic¬ 
ture  of  the  electronic  battle- 
space  so  that  he  or  she  can  un¬ 
derstand  and  visualize  the  status 
of  networks  and  quickly  devel¬ 
op  and  execute  courses  of  action 
to  defend  them.  We  have  called 
this  effort  the  information  as¬ 
surance  common  operational 
picture  (IA  COP),  and  more 
modestly,  the  IA  situational 
awareness  tool.  Under  DISA  di¬ 
rection,  we  will  be  ready  to  in¬ 
corporate  some  initial  situation¬ 
al  awareness  tools  into  the 


1  4 


lAnewsletter 


Volume  3,  Number  4 


http://iac.dtic.  mil/iatac 


Global  Command  and  Control 
System  next  year.  This  is  a  small 
step;  much  work— and  consider¬ 
able  resources— must  be  ex¬ 
pended  to  develop  an  IA  COP 
for  the  warfighter  of  the  future. 

Information 
Operations  Condition 
(INFOCON) 

The  Joint  Staff  instituted  the 
INFOCON  process  last  year. 
This  is  clearly  a  step  in  the  right 
direction.  INFOCON  gives  us  a 
means  of  reacting  defensively 
under  attack,  or  proactively  to 
set  a  DoD-wide  defense  condi¬ 
tion  when  the  indications  and 
warning  process  indicates  a  de¬ 
veloping  threat.  We  have  exer¬ 
cised  INFOCON  a  few  times  and 
found  that,  while  the  basic 
process  is  sound,  there  is  con¬ 
siderable  room  for  improve¬ 
ment  in  several  areas.  First,  we 
need  to  flesh  out  the  measures 
to  provide  more  specificity.  Sec¬ 
ond,  we  need  to  develop  more 
specific  criteria  for  entering  and 
exiting  each  INFOCON  level.  Fi¬ 
nally,  we  need  to  understand 
the  cost  and  mission  impact  of 
more  advanced  INFOCON  lev¬ 
els.  We  cannot  afford  to  routine¬ 
ly  implement  a  self-imposed  de¬ 
nial  of  service  as  a  defensive 
measure.  USSPACECOM  has 
taken  on  the  challenge  of  im¬ 
proving  the  INFOCON  process 
and  held  a  DoD-wide  confer¬ 
ence  in  June  to  address  these  is¬ 
sues.  INFOCON  is  the  right  tool; 
we  just  need  to  improve  and  ex¬ 
ercise  it. 

An  issue  related  to  INFOCON 
is  the  vulnerability  of  the  NIPR- 
NET  and  the  Secret  Internet 
Protocol  Router  Network  (SIPR- 
NET)  to  intrusions  from  the  In¬ 
ternet.  I  have  frequently  heard 
suggestions  that  DoD  should 
disconnect  from  the  Internet, 
either  permanently  or  as  a  de¬ 


fensive  measure  in  the  event  of 
an  attack.  It  has  become  appar¬ 
ent,  however,  that  many  of  our 
mission-critical  SIPRNET  and 
NIPRNET  systems— for  exam¬ 
ple,  the  Global  Transportation 
Network— receive  information 
from  the  Internet.  There  are 
also  technical  questions,  since 
some  DoD  “dot.mil-to-dot.mil” 
traffic  in  fact  flows  through  the 
Internet.  We  need  to  improve 
our  understanding  of  the  depen¬ 
dencies  and  technical  network 
factors  and  develop  some  basis 
for  decision  making  in  this  area. 
We  then  need  to  test  the  discon¬ 
nection  process  before  we  adopt 
this  as  a  defensive  tool.  DISA  is 
currently  conducting  a  study  to 
answer  some  of  these  technical 
questions. 

System 

Administration  and 
Configuration  Control 
The  IAVA  process  was  devel¬ 
oped  in  1998,  at  the  direction  of 
the  DEPSECDEF,  when  it  be¬ 
came  apparent  that  we  had  no 
way  of  rapidly  implementing 
time-critical  system  patches 
across  DoD  and  providing  con¬ 
trol  of  compliance.  Today,  the 
IAVA  process,  run  by  DISA,  pro¬ 
vides  a  way  of  achieving  these 
ends.  Unfortunately,  the 
process  has  still  not  completely 
penetrated  DoD.  An  analysis  of 
1999  root-level  intrusions  in 
DoD  shows  that  94  percent  of 
the  intrusions  could  have  been 
prevented  if  accepted  security 
practices  had  been  followed  and 
existing  IAVAs  had  been  imple¬ 
mented.  In  other  words,  al¬ 
though  we  are  better  off  than  we 
were  a  year  ago,  we  must  do  bet¬ 
ter.  Making  the  needed  im¬ 
provements  will  require  com¬ 
mand  emphasis,  since  IAVA 
compliance  competes  with 
other  mission-critical  activities 


for  the  time  of  our  system  ad¬ 
ministrators.  There  have  been 
promising  developments  in  this 
area.  In  June  CINCSPACE  as¬ 
sumed  responsibility  for  the 
IAVA  program.  In  addition, 
CJCS  recently  directed  “com¬ 
manders  at  all  echelons”  to  em¬ 
phasize  IAVA  compliance. 

Conclusion 

I  remember  all  too  clearly  sit¬ 
ting  in  the  DEPSECDEF's  con¬ 
ference  room  in  February  1998 
during  the  Solar  Sunrise  discus¬ 
sion  and  being  asked  the  basic 
question  I  asked  earlier  in  this 
article:  “Who’s  in  charge?”  We 
have  come  a  long  way  since 
then.  We  have  someone  in 
charge  (CINCSPACE)  and  the 
beginnings  of  a  proper  defen¬ 
sive  force.  In  October,  USSPACE¬ 
COM  will  assume  the  CNA  mis¬ 
sion  and  begin  developing  a 
robust  offensive  force  to  com¬ 
plement  our  defensive  capabili¬ 
ty.  The  future  is  truly  exciting. 
We  just  need  to  keep  our  eye  on 
the  ball  and  ensure  that  we 
properly  support  this  develop¬ 
ing  mission  area.  I  wish  all  of 
you  in  the  CND/IA  mission  the 
very  best  of  luck. 


Maj  Gen  John  Campbell  was  commis¬ 
sioned  through  the  Air  Force  Reserve 
Officer  Training  Corps  in  1969  at  the 
University  of  Kentucky.  He  is  a  com¬ 
mand  Pilot  with  more  than  3600  flying 
hours  and  has  commanded  a  fighter 
squadron ,  a  fighter  group,  and  two  fight¬ 
er  wings.  He  was  the  first  Director  of 
Information  Operations  on  the  Joint 
Staff,  and  was  assigned  as  the 
Commander  of  JTF-CND  and  Vice 
Director,  DISA  in  November  1998.  On  9 
June  2000,  he  assumed  duty  as  the 
Associate  Director  of  Central  Intelligence 
for  Military  Support  in  the  Central 
Intelligence  Agency. 


http://iac.dtic.mil/iatac 


lAnewsletter 


1  5 


Volume  3,  Number  4 


nf  Special  Operations  Command 

Builds  New  NOSC 


Major  John  i.  Jordan,  USA 
U.S.  Special  Operations  Command 


Recognizing  that  advances 
in  computer  and  securi¬ 
ty  technology  require  nearly  si¬ 
multaneous  advances  in  the 
monitoring  capability  of  the 
new  technology,  the  U.S.  Spe¬ 
cial  Operations  Command  (US- 
SOCOM)  recently  rebuilt  its 
Network  Management  Office 
into  a  Network  Operations  and 
Security  Center.  The  NOSC,  as 
it  is  called,  monitors  USSO¬ 
COM’s  local  area  networks, 
wide  area  networks,  and  net¬ 
work  security. 

What  separates  the  USSO- 
COM  NOSC  from  other  NOSCs 
in  the  Department  of  Defense 
(DoD)  is  the  fact  that  it  moni¬ 
tors  networks  at  all  classifica¬ 
tion  levels.  USSOCOM  is  the 
first  command  in  DoD  to  com¬ 
bine  intelligence  systems  and 
common  user  systems  under 
one  organization.  This  ground¬ 
breaking  combination  has 
given  users  in  all  communities 
true  “one-stop  shopping”  for 
their  computer  and  communi¬ 
cations  needs  and  has  enabled 
DoD  to  achieve  dramatic  sav¬ 
ings  in  money  and  manpower. 

Before  their  unification 
under  the  NOSC,  two  entire 
computer  staffs  ran  USSO- 
COM’s  systems.  This  meant 
two  sets  of  systems  administra¬ 
tion  contracts,  two  hardware 
maintenance  contracts,  two 
processes  for  configuration 
management,  and  two  process¬ 
es  for  information  assurance. 
By  combining  these  efforts,  US¬ 
SOCOM  was  able  to  develop 


one  systems  administration 
and  systems  engineering  con¬ 
tract  and  one  server  hardware 
contract  and  to  combine  both 
configuration  management  and 
information  assurance  process¬ 
es  to  satisfy  all  users.  This  con¬ 
solidation  allowed  immediate 
savings  of  $1.3  million  in  con¬ 
tract  support  costs  and  reduced 
the  size  of  the  staff  for  running 
the  systems  by  over  30  persons. 
While  joining  two  staffs  that 
had  been  separate  forever  was 
not  without  its  growing  pains, 
the  final  product  has  been  a 
smaller  staff  with  no  decrease 
in  customer  service. 

The  security  section  of  the 
USSOCOM  NOSC  was  devel¬ 
oped  in  response  to  DoD’s  in¬ 
creased  emphasis  on  security 
issues.  USSOCOM  is  extremely 
serious  about  the  security,  not 
only  of  its  forces,  but  also  of  the 
information  its  forces  require 
to  carry  out  USSOCOM  mis¬ 
sions.  In  the  information  assur¬ 
ance  arena,  USSOCOM  is  pro¬ 
ceeding  with  its  defense- 
in-depth  program  on  all  of  its 


networks.  The  NOSC  is  a  focal 
point  of  this  effort.  USSOCOM’s 
strategy  for  security  is  to  de¬ 
fend  the  outside  of  these  sys¬ 
tems  as  well  as  the  inside. 

To  defend  the  outside  of  US¬ 
SOCOM’s  three  networks,  the 
command  uses  a  variety  of 
monitoring  hardware  and  soft¬ 
ware  designed  to  greatly  reduce 
unauthorized  users’  ability  to 
gain  access  to  system  resources. 
Firewalls,  access  control  lists, 
monitors,  and  sensors  placed  in 
strategic  network  locations  pro¬ 
vide  much  of  USSOCOM’s  de¬ 
fense  against  outside  attack. 
The  NOSC  provides  a  single,  24- 
hour  watch  cell  for  monitoring 
this  defense  strategy. 

USSOCOM  also  realizes  that 
attacks  on,  and  unauthorized 
access  to,  computer  systems 
can  be  caused  by  people  on  the 
inside.  To  help  prevent  insider 
damage  to  its  systems,  USSO¬ 
COM  uses  a  combination  of 
training  and  security  proce¬ 
dures.  For  example,  password 
“cracking”  is  one  of  the  easiest 
continued  on  pace  24 


Anewsletter  •  Volume  3,  Number  4 


http://iac.dtic.  mil/iatac 


Where  There's  Smoke, 


There's  Fire... 


When  we  were  young, 
many  of  us  dreamed  of 
becoming  doctors,  firefighters, 
at  least  in  a  metaphorical  sense. 
This  is  especially  true  in  the  in- 
formation  technology  (IT) 
world,  where  technology 
changes  every  day  and  IT  man¬ 
agers  routinely  face  new  chal¬ 
lenges  and  “fires”  to  put  out. 
Just  keeping  the  network  up 
and  running  involves  putting 
out  daily  brush  fires  to  prevent 
a  conflagration. 

In  the  world  of  information 
assurance  (I A) ,  we  have  seen  a 
continuing  battle  between  the 
defenders  of  our  networks  and 
those  who  intend  harm.  IA  pro¬ 
fessionals  must  constantly  de¬ 
fend  networks  from  viruses,  in¬ 
trusions,  probes,  and  other 
harmful  activities,  whether 
these  are  caused  by  malicious 
“arsonists”  or  just  someone 
playing  with  matches.  Effective 
IA  fire  prevention  and  fire  fight¬ 
ing  involve  identifying  the 
threats,  applying  effective 
countermeasures,  and  under¬ 
standing  and  accepting  the  re¬ 
maining  risk  to  our  systems. 

No  computer  network  is 
completely  fireproof.  In  fact, 
some  say  that  the  only  truly 
safe  computer  is  the  stand¬ 
alone  computer  locked  in  a 
closet,  an  arrangement  that  of¬ 
fers  exceptional  security  but  lit¬ 
tle  utility.  IA  professionals  must 
carefully  weigh  the  needs  of 
their  operations  against  the 
need  for  smart  security  mecha¬ 
nisms.  One  of  the  most  com¬ 
mon  IA  mechanisms  in  use 
today  is  the  firewall.  A  firewall 


1  7 


Brian  Botte$inir  NAVEUR 
Brenda  Angerhofer,  NAVEUR 


and  what  are  not,  how  firewalls 
should  be  configured  when 
they  are  connected  to  the  NIPR- 
NET  (Sensitive  but  Unclassified 
Internet  Protocol  Router  Net¬ 
work)  and  the  SIPRNET  (Secret 
Internet  Protocol  Router  Net¬ 
work)  ,  and  other  critical  issues. 

We  know  that  a  chain  is  only 
as  strong  as  its  weakest  link. 
Similarly,  multiple  intercon¬ 
nected  networks  and  firewalls 
can  offer  sound  protection  only 
if  all  the  firewalls  prohibit  risky 
services.  Recent  events  in  the 
news  have  illustrated  the  vul¬ 
nerability  of  unprotected  com¬ 
puters  to  unauthorized  intru¬ 
sions.  Because  there  was  no 
standard  firewall 


is  a  system  designed  to  prevent 
unauthorized  access  to  or  from 
a  private  network. 

Although  the  firewall  is  an 
excellent  security  defense 
mechanism,  by  itself  it  is  a  Mag- 
inot  Line  defense.  To  be  effec¬ 
tive,  the  firewall  must  be  part  of 
a  much  broader  IA  architecture 
that  includes  several  layers  of 
security,  including  antivirus  ap¬ 
plications,  intrusion  detection 
systems,  content  filtering,  phys¬ 
ical  and  personnel  security,  and 
other  elements.  The  U.S.  Navy’s 
and  Marine  Corps’  defense-in¬ 
depth  strategy  defines  such  an 
overall  security  architecture 
with  multiple  layers  of  assur¬ 
ance  mechanisms. 


The  Fire  Code 

To  protect 
against  actual 
fires,  the  Unit-  ^ 
ed  States  has^^ 
instituted 
standard  fire 
code  that  speci¬ 
fies  requirements 
for  smoke  detec¬ 
tors,  sprinkler 
systems,  and  so 
on.  Why  should¬ 
n’t  we  in  the  IA 
community 
have  a  similar 
standard  for 
the  firewalls 
defending  our 
networks  in  cy¬ 
berspace?  Such  a 
standard 
would  address 
what  services 
are  allowed 


http://iac.dtic.  mil/iatac 


Anewsletter 


Volume  3,  Number  4 


policy,  the  U.S.  Navy  Fleet 
Commanders  in  Chief  (CINC) 
implemented  a  standard  fleet 
firewall  policy  for  all  fleet  net¬ 
work  operations  centers,  pier- 
side  firewalls,  and  selected 
shore  activities  (see 
http:/ /www.infosec  .navy.mil) . 
This  policy  seeks  to  standardize 
the  outer  layer  of  computer  net¬ 
work  defense  and  is  integral  to 
the  Navy’s  and  Marine  Corps’ 
defense-in-depth  network  secu¬ 
rity  strategy. 

Hot,  hot,  hot! 

The  great 
American  poet, 

Robert  Frost, 
said,  “Before  I 
built  a  wall  I’d 
ask 

know/What 
was  walling  in 
or  walling  out.” 

In  the  IA  con¬ 
text,  these  words  can  be 
viewed  as  a  caution  against  the 
mindless  pursuit  of  security  at 
the  expense  of  operational 
needs.  Too  often,  however,  IA 
professionals  are  required  to 
support  an  application  that  re¬ 
lies  on  inherently  risky  ser¬ 
vices.  Several  examples  have 
surfaced  recently  in  which  a 
fully  developed  software  appli¬ 
cation  has  shown  up  on  the 
doorstep  of  a  command,  await¬ 
ing  installation.  These  “pro¬ 
grams  of  record”  are  often  de¬ 
signed  with  maximum 
accessibility  in  mind  and  mini¬ 
mum  to  no  security  controls.  To 
work  properly,  these  applica¬ 
tions  require  lots  of  big  holes  in 
the  firewall.  This  requirement 
puts  the  local  Information  Sys¬ 
tems  Security  Manager  and 
Designated  Approval  Authority 
(DAA)  in  a  difficult  position. 
The  local  command  needs  to 
run  the  application  to  do  its  job, 


but  implementing  the  applica¬ 
tion  as-is  introduces  risk  to  the 
entire  command’s  information 
networks  behind  the  firewall. 
Before  such  risky  programs  are 
implemented,  the  following 
questions  should  be  considered: 
What  is  the  value  of  opening 
those  holes  in  the  firewall? 
What  is  the  risk  to  the  rest  of 
the  network?  Is  there  a  possible 
compromise? 

Fire  Prevention 
Anyone? 

How  can  we  ensure 
that  everyone  is  consid¬ 
ering  the  necessary 
trade-offs  between  user 
friendliness,  accessibility, 
and  security?  This  assess¬ 
ment  is  critical  and  must 
take  place  at  the  very  start 
of  any  development  ef¬ 
fort.  As  the  saying 
goes,  “It’s  a  heck 
of  a  lot  easier  to 
design  security 
into  an  applica¬ 
tion  than  it  is  to 
add  security 
later  on.”  Although,  occasional¬ 
ly,  it  may  be  possible  to  paste 
on  a  little  security  late  in  the 
project,  all  too  often  doing  so  is 
very  costly  and  cumbersome. 
Thus,  information  systems 
must  address  IA  requirements 
and  policies  early  in  develop¬ 
ment,  and  before  fielding  into 
operational  networks. 

Recently,  more  than  20  pro¬ 
grams  of  record  were  identified 
that  conflicted  with  the  current 
Fleet  firewall  policy.  Is  the  poli¬ 
cy  too  restrictive?  Are  the  pro¬ 
grams  of  record  poorly  de¬ 
signed?  Although  the  answers 
to  these  questions  are  still  being 
debated,  one  thing  is  clear: 
there  have  been  known  attacks 
on  information  networks  when 
certain  services,  such  as  RPC 


1  S 


lAnewsletter 


Volume  3 ,  Number  4 


and  ActiveX,  were  permitted  to 
pass  unchecked  through  a  fire¬ 
wall. 

To  mitigate  the  risks  of  in¬ 
corporating  these  programs  into 
our  information  networks,  we 
must  work  closely  with  the  pro¬ 
grams’  program  managers. 
These  program  managers  must 
provide  the  DAA  with  sufficient 
documentation  to  enable  him 
or  her  to  make  an  informed  de¬ 
cision  about  implementing  the 
new  application  on  the  local 
network.  Documentation,  such 
as  an  accreditation  package, 
system  security  authorization 
agreement,  risk  assessment, 
and  transition  plan,  will  all  help 
in  delineating  the  proposed  ar¬ 
chitecture  and  assessing  the 
risks.  In  addition,  the  local  site 
may  require  system  security 
engineering  before  the  program 
of  record  is  integrated  into  the 
existing  site  configuration.  An¬ 
other  approach  could  involve 
the  use  of  virtual  private  net¬ 
works  implemented  in  parallel 
with  existing  firewalls,  thereby 
allowing  flexibility  without 
compromising  security. 

As  this  discussion  has  shown, 
there  are  few  easy  answers  for 
the  IA  professional  today.  As 
Quintus  Horatius  Flaccus  said 
about  2000  years  ago  in  his 
Epistles,  “It  is  your  concern 
when  your  neighbor’s  wall  is  on 
fire.”  Thus,  for  the  foreseeable 
future,  IA  fire  fighting  and  pre¬ 
vention  will  require  much 
painstaking  work  and  constant 
vigilance.  In  other  words,  we 
cannot  just  ride  on  the  back  of 
the  fire  engine. 


Brian  Bottesini  is  an  Information 
Assurance  Advisor  to  U.S.  Naval  Forces, 
Europe.  He  may  be  reached  at 
cnen67@na  veur.  navy,  mil 


http://iac.dtic.mil/iatac 


Keys  to 
the  Kingdom 


ot  so  long  ago,  the  De¬ 
partment  of  Defense 
(DoD)  was  at  the  forefront  of 
information  technology  (IT) 
development.  In  fact,  the  Ad¬ 
vanced  Research  Projects 
Agency  Network  ARPANET, 
which  later  spawned  that  un¬ 
ruly  child  the  Internet,  had  its 
roots  in  DoD’s  rich  history. 
When  ARPANET  was  under  de¬ 
velopment,  DoD  was  leading 
the  information  IT  revolution; 
however,  that  is  no  longer  the 
case.  Today,  newly  emerging 
information  technologies  are  a 
part  of  every  viable  business 
enterprise  and  new  technolo¬ 
gies  affect  the  lives  of  all  Amer¬ 
icans  in  ways  that  were 
unimaginable  only  a  few  years 
ago.  The  amazing  growth  in  IT 
over  the  past  several  decades 
coupled  with  DoD’s  constantly 
shrinking  budgets,  has  relegat¬ 
ed  DoD  to  the  role  of  an  IT 
consumer.  It  is  simply  a  fact 
that  we  no  longer  enjoy  the 
technical  superiority  we  once 
had. 

As  a  result  of  this  decline 
and  our  increasing  depen¬ 
dence  on  sophisticated  high- 
tech  networks  for  support  of 
operations,  we  have  become 
increasingly  vulnerable  to  out¬ 
side  influence.  For  example, 
DoD,  like  the  rest  of  the  world, 
has  become  utterly  dependent 
on  the  Internet.  Whether  sup¬ 
porting  on-line  contract  bid¬ 
ding  and  execution,  ensuring 
robust  logistics  support  world¬ 
wide,  or  maintaining  deployed 
troops  with  E-mail  connectivi¬ 
ty  to  family  members  back 


home,  the  Internet  has  become 
vital  to  how  we  conduct  opera¬ 
tions. 

With  these  new  dependen¬ 
cies  has  come  an  increasing 
awareness  of  major  informa¬ 
tion  and  computer  security  is¬ 
sues.  Let’s  face  it,  a  system 
whose  primary  design  feature 
is  the  ability  for  any  computer 
in  the  world  to  rapidly  and  effi¬ 
ciently  share  information  and 
processes  with  any  other  com¬ 
puter  on  the  planet  must  have 
inherent  security  vulnerabili¬ 
ties.  And  that  is  the  case  with 
the  Internet  today. 

As  a  major  IT  consumer, 
DoD  invests  heavily  in  infor¬ 
mation  assurance  (IA).  The  de¬ 
partment  has  instituted  a  lay- 
ered-in-depth  strategy  and  is 
spending  millions  of  dollars 
each  year  on  sophisticated  in¬ 
trusion  detection  devices,  high- 
assurance  firewalls,  symmetric 
and  asymmetric  encryption, 
strong  authentication,  and  any 
other  technologies  that  show 
promise. 

Additionally,  DoD  has  insti¬ 
tuted  a  department-wide  Infor¬ 
mation  Assurance  Vulnerabili¬ 
ty  Alert  (IAVA)  program  to 
patch  existing  technical  vul¬ 
nerabilities.  Since  the  pro¬ 
gram’s  implementation  in  June 
1998,  26  IAVAs  have  been  pub¬ 
lished.  These  alerts  have  ad¬ 
dressed  a  wide  range  of  techni¬ 
cal  security  issues  for  DoD 
networks.  As  a  result  of  this 
program  and  other  elements  in 
our  in-depth  strategy,  we 
should  be  close  to  achieving  a 


I  Captain  Robert  West,  USN 

Deputy  Commander,  JTF-CND _ 

reasonable  level  of  security  on 
our  networks. 

So  why  is  it  that  outsiders 
continue  to  penetrate  DoD  net¬ 
works  on  a  routine  basis?  A  re¬ 
cent  statistic  developed  by  the 
Joint  Task  Force  for  Computer 
Network  Defense  (JTF-CND) 
indicates  that  more  than  90 
percent  of  all  successful  intru¬ 
sions  into  the  Sensitive  but  Un¬ 
classified  Internet  Protocol 
Router  Network  (NIPRNET)  in 
1999  were  accomplished  by  ex¬ 
ploiting  known  vulnerabilities. 
In  each  case,  state-of-the-art  se¬ 
curity  devices  were  already  in 
place  and  the  exploited  vulner¬ 
ability  had  been  identified  and 
addressed  with  an  IAVA.  In 
fact,  implementation  of  the  ex¬ 
isting  IAVA  would  have  pre¬ 
vented  the  unauthorized  ac¬ 
cess— if  only  the  patch  had 
been  installed  at  that  location. 
The  good  news  is  that  DoD’s 
strategy  is,  in  fact,  identifying 
most  technical  security  vulner¬ 
abilities.  The  bad  news  is  that 


lAnewsletter 


i  e 


*• 


http://iac.dtic.mil/iatac 


Volume  3,  Number  4 


those  responsible  for  imple¬ 
menting  IAVA  patches  have  not 
consistently  done  so. 

Today,  this  security  problem 
is  compounded  by  the  fact  that 
almost  all  unauthorized  access¬ 
es  are  prolonged  by  the  intrud¬ 
ers’  use  of  additional  exploita¬ 
tion  techniques  after  he  or  she 
first  gains  access  to  an  account. 
Whether  the  intruder  gains  ini¬ 
tial  access  by  exploiting  an  un¬ 
patched  vulnerability,  by  gain¬ 
ing  physical  access  to  a 
protected  location  and  stealing 
the  necessary  account  data,  by 
“sniffing”  passwords  on-line,  or 
by  scanning  for  never-activat¬ 
ed  accounts  with  still-active  de¬ 
fault  passwords,  the  result  is 
the  same.  The  unauthorized  in¬ 
dividual  achieves  user  status  in 
the  system,  and  from  there 
generally  has  no  trouble  gain¬ 
ing  system  administrator  or 
root  privileges.  Tools  for  gain¬ 
ing  such  privileges  are  readily 
available  on  the  Internet  today. 
Unfortunately,  current  intru¬ 
sion  detection  capabilities  have 
a  difficult  time  distinguishing 
between  authorized  users  and 
unauthorized  users  mas¬ 
querading  as  legitimate.  The 
experience  of  the  JTF-CND  in 
the  past  year  supports  this  per¬ 
ception.  With  very  few  excep¬ 
tions,  initial  incident  detection 
has  come,  not  from  automated 
devices,  but  rather  from  sys¬ 
tem  administrators  who  have 
detected  unusual  account  ac¬ 
tivity  at  their  site  through  de¬ 
tailed  system  log  analysis  or 
other  means.  Only  after  an  ini¬ 
tial  report  has  been  forwarded 
have  we  been  able  to  “tune”  the 
intrusion  detection  devices  to 
help  fill  in  the  details  about  the 
nature  of  the  abnormal  activity 
and  to  assess  whether  there 
has  been  a  coordinated  or  sys¬ 


tematic  effort  directed  against 
computers  across  DoD. 

Although  we  should  certain¬ 
ly  continue  to  pursue  technical 
solutions  to  security  concerns, 
it  should  be  abundantly  clear 
that  technical  devices  alone 
are  inadequate  for  addressing 
DoD’s  ever-increasing  security 
issues.  It  is  time  for  DoD  to 
shift  its  corporate  focus  a  bit 
and  begin  addressing  the  most 
pressing  security  issue  of  all, 
our  people.  Our  system  admin¬ 
istrators  are  the  ones  granting 
network  access  in  the  first 
place,  in  the  form  of  user  priv¬ 
ileges.  For  this  reason,  they  are 
the  ones  best  positioned  to  dis¬ 
tinguish  between  legitimate 
and  illegitimate  access.  System 
administrators  also  are  the 
ones  charged  with  installing 
IAVA  patches  when  new  vul¬ 
nerabilities  are  discovered.  In 
short,  they  own  the  keys  to  the 
kingdom.  It  is  time  we  recog¬ 
nize  just  how  important  this 
group  has  become  to  the  suc¬ 
cess  of  any  operation. 

What  we  need  now  is  a  top- 
down  DoD-wide  network  secu¬ 
rity  policy  that  brings  consis¬ 
tency  to  system  administrator 
training  and  certification.  Op¬ 
erational  commanders  at  all 
levels  must  make  network  se¬ 
curity  a  top  priority.  At  a  mini¬ 
mum,  all  system  administra¬ 
tors  should  have  background 
checks,  SECRET  (or  higher) 


clearances,  and  direct  access  to 
a  classified  environment  for  in¬ 
cident  reporting  and  coordinat¬ 
ed  response  measures.  Addi¬ 
tionally,  system  administrators 
should  receive  initial  and  re¬ 
fresher  security  awareness 
training  and  formal  training  on 
IAVA  compliance  and  incident 
reporting  procedures. 

We  can  spend  every  red  cent 
the  congress  appropriates  on 
better  technology  and  we  are 
going  to  be  no  more  secure 
than  we  are  today,  unless— re¬ 
peat  unless— we  start  spending 
significant  amounts  of  money 
on  those  who  are  entrusted 
with  maintaining  our  opera¬ 
tional  networks  in  a  high  state 
of  readiness.  After  all,  our  sys¬ 
tem  administrators  are  the  op¬ 
erators  of  all  of  this  great  tech¬ 
nology  and  they  are  our  front 
line  defenders  as  well.  Before 
we  grant  that  much  responsibil¬ 
ity  to  any  one  group  of  individ¬ 
uals  it  only  makes  sense  that 
those  individuals  be  put 
through  the  scrutiny  of  a  back¬ 
ground  check  and  that  granting 
of  complete  access  to  the  inner 
workings  of  our  networks  be 
coupled  with  appropriate  train¬ 
ing  and  certification.  To  do  oth¬ 
erwise  is  to  ensure  that  future 
adversaries  will  also  have  ac¬ 
cess  to  the  keys  to  our  kingdom 
when  it  is  most  imperative  for 
them  not  to. 


Captain  Robert  West,  USN  is  the 
Deputy  Commander,  Joint  Task  Force  - 
Computer  Network  Defense.  As  such  he 
is  responsible  for  coordinating  and  direct¬ 
ing  the  defense  of  DoD  computer  systems 
and  computer  networks.  CAPT  West 
earned  a  B.E.  (Electrical  Engineering) 
from  Vanderbilt  University,  an  M.S.  in 
Political  Science  from  Auburn  University, 
and  a  J.D.  in  General  Law  from  Catholic 
University  of  America.  He  may  be 
reached  at  westr@jtfcnd.ia.mil 


20 


I  Ane  wslette  r 


Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


Law  Enforcement  and 
Counterintelligence 
Support  to  CND 


Advances  in  the  personal 
computing  industry,  the 
emphasis  on  information  tech¬ 
nology,  and  in  particular,  the 
exponential  growth  of  the  In¬ 
ternet  have  dramatically 
changed  the  focus,  attention, 
and  efforts  of  law  enforcement 
and  counterintelligence  (Cl) 
organizations  within  the  United 
States.  In  the  past  5  years  the 
U.S.  law  enforcement  (LE) 
community  has  struggled  to 
keep  pace  with  dramatic 
changes  in  this  field,  since 
computers  are  involved  in  vir¬ 
tually  all  aspects  of  criminal  in¬ 
vestigations.  Whether  a  com¬ 
puter  is  used  as  an  instrument 
of  a  criminal  act,  is  the  target  of 
a  criminal  act,  or  retains  criti¬ 
cal  evidence  of  a  criminal  act, 
investigators  increasingly  en¬ 
counter  computers  and  infor¬ 
mation  technology  in  their 
work.  Similarly,  the  U.S.  Cl 
community  has  found  that 
computers  are  often  at  the 
heart  of  elaborate  espionage 
cases,  or  are  the  target  of  for¬ 
eign  intelligence  exploitation 
through  the  Internet.  Informa¬ 
tion  technology  professionals 
and  senior  policy  experts  have 
publicly  warned  of  the  cata¬ 
strophic  consequences  that 
computer  network  attacks 
(CNA)  could  have  in  the  near 
future.  The  sheer  numbers  and 
complexity  of  computer  net¬ 
work  intrusions,  probes,  and 
mapping,  and  the  proliferation 
of  viruses  and  worms  have 
caused  considerable  alarm  in 
public  and  private  sectors.  The 
most  recent  round  of  distrib¬ 


uted  denial-of-service  attacks 
on  a  number  of  well-known  e- 
commerce  sites  had  a  direct 
impact  on  the  value  of  high- 
technology  stocks  and  shook 
the  confidence  of  many  e-com¬ 
merce  customers.  For  these 
reasons,  among  others,  law  en¬ 
forcement  and  counterintelli¬ 
gence  support  must  be  consid¬ 
ered  an  essential  layer  in  any 
defense  in  depth  strategy  de¬ 
signed  to  provide  a  computer 
network  defense  (CND).  The 
law  enforcement  and  counter¬ 
intelligence  communities  are 
critical  in  the  efforts  to  assign 
attribution  to  network  intru¬ 
sions,  and  are  the  only  authori¬ 
ties  capable  of  conducting  a  de¬ 
tailed  forensics  analysis  of 
systems  to  reconstruct  evi¬ 
dence  of  a  criminal  act. 

Law  enforcement  and  coun¬ 
terintelligence  have  learned  a 
number  of  valuable  lessons  in 
the  wake  of  significant  comput¬ 
er  network  intrusions  such  as 
the  Cuckoo's  Egg ,  Ardita,  and 
Solar  Sunrise.  Each  of  these 
computer  intrusion  incidents 
clearly  identified  weaknesses 
in  law  enforcement  authorities’ 
processes  and  ability  to  re¬ 
spond  quickly  to  CNA.  More 
important,  these  intrusions 
have  highlighted  the  wide  split 
between  information  systems 
security  personnel,  who  clearly 
need  information  to  protect 
their  networks  from  further 
degradation,  and  the  LE  com¬ 
munity,  which  traditionally  has 
held  investigative  information 
within  its  own  close  circles, 
drawing  a  solid  “blue  line,” 


I  Special  Agent  Michael  R.  Dorsey,  DCIO  CND  Law 
Enforcement  &  Counterintelligence  Center 

across  which  active  investiga¬ 
tive  information  does  not  pass. 

As  a  result  of  these  sometimes 
competing  security  objectives, 
senior  policy  makers  have 
often  referred  to  computer  net¬ 
work  intrusion  incidents  as  a 
matter  of  “national  security 
versus  law  enforcement.”  By  its 
very  nature,  this  dichotomy 
seems  to  dictate  a  win-lose  sce¬ 
nario.  This  view  has  not  been 
of  benefit  to  either  the  informa¬ 
tion  systems  security  commu¬ 
nity  or  the  LE  community. 
Moreover,  within  the  Depart¬ 
ment  of  Defense  (DoD) ,  this  di¬ 
chotomy  has  had  an  injurious 
effect  on  the  network  opera¬ 
tions  community,  which  is 
charged  with  the  ensuring  the 
continuous  flow  of  information 
over  networks  to  support  mili¬ 
tary  operations.  The  business 
operations  community  too  has 
been  torn  between  the  needs  of 
its  information  security  person¬ 
nel  and  the  needs  of  law  en¬ 
forcement  when  network  intru- 


http://iac.dtic.mil/iatac 


I  Anewslette  r 


21 


► 


Volume  3,  Number  4 


sions  occur.  In  both  cases,  criti¬ 
cal  operational  decisions  must 
be  made  based  on  the  sharing 
of  information  among  tradition¬ 
ally  distinct  groups  that,  in  the 
past,  have  resisted  collabora¬ 
tion  and  kept  information  with¬ 
in  their  own  circles. 

However,  this  win-lose  rela¬ 
tionship  between  national  se¬ 
curity  and  law  enforcement  is 
now  being  turned  into  a  win- 
win  philosophy  through  the  es¬ 
tablishment  of  several  joint,  in¬ 
teragency  organizations  and  a 
willingness  to  include  the  LE 


strategy  to  protect  our  national 
information  infrastructure 
(Nil)  from  deliberate  attacks. 
There  was  a  clear  recognition 
that  a  central  information 
clearinghouse,  composed  of 
multiple  organizations  from  the 
law  enforcement,  intelligence, 
and  technical  security  commu¬ 
nities,  was  essential  to  the  pro¬ 
tection  of  the  national  infra¬ 
structure.  The  development  of 
the  NIPC  included  agencies 
such  as  the  FBI,  the  U.S.  Secret 
Service,  the  Postal  Inspections 
Service,  NASA,  the  Defense 


and  Cl  personnel  as  a  part  of 
the  defense-in-depth  strategy  of 
information  systems  security. 
After  the  resolution  of  the  Solar 
Sunrise  intrusions  into  DoD 
networks  in  1998,  President 
Clinton  signed  Presidential  De¬ 
cision  Directive  63,  establishing 
the  National  Infrastructure  Pro¬ 
tection  Center  (NIPC) .  Both 
this  directive  and  the  the  NIPC 
were  established  to  formulate  a 


Criminal  Investigative  Organi¬ 
zations  (DCIO),  the  State  De¬ 
partment,  the  CIA,  the  Nation¬ 
al  Security  Agency,  the  Air 
Force  Intelligence  Agency,  and 
various  technical  security  rep¬ 
resentatives.  Additionally,  part¬ 
nerships  were  developed  with 
the  public  utilities  critical  to 
the  NIL  It  was  envisioned  that 
the  NIPC  would  be  able  to  gath¬ 
er  information  from  the  public 


and  private  sectors  and  provide 
ample  warning  of  threats,  ana¬ 
lyze  trends,  and  collaborate  to 
fight  the  criminal  hackers  and 
foreign  intelligence  organiza¬ 
tions  exploiting  our  informa¬ 
tion  networks.  This  goal  neces¬ 
sitated  a  change  in  the 
traditional  thinking  of  separate, 
insular  organizations  that  were 
not  accustomed  to  collaborat¬ 
ing  with  each  other,  let  alone  to 
sharing  sensitive  information 
about  ongoing  events.  It  has  re¬ 
quired  a  degree  of  trust  and  the 
building  of  partnerships,  which 
has  never  before  been  attempt¬ 
ed.  While  much  work  remains 
in  this  process,  considerable 
progress  has  occurred,  and,  as 
a  result,  significant  accom¬ 
plishments  have  been  realized. 

At  about  the  same  time  that 
the  NIPC  was  being  developed, 
a  similar  process  was  occurring 
within  DoD.  The  Office  of  the 
Secretary  of  Defense  estab¬ 
lished  the  Joint  Task  Force  for 
Computer  Network  Defense 
(JTF-CND)  to  protect  the  De¬ 
fense  Information  Infrastruc¬ 
ture  (DII).  The  concept  of  the 
JTF-CND  was  to  provide  a  sin¬ 
gle  organization  within  DoD 
that  would  develop  a  common 
operational  picture,  and  situa¬ 
tional  awareness  of  computer 
network  attacks  against  the 
DII.  To  accomplish  this  task,  a 
small  cadre  of  military  and 
civilian  personnel  with  varied 
professional  backgrounds  was 
assembled  under  one  com¬ 
mand  and  co-located  with  the 
Defense  Information  Systems 
Agency  (DISA).  The  JTF-CND 
provides  joint  operational  com¬ 
mand  and  control  of  the  mili¬ 
tary  services  computer  net¬ 
work  defense  (CND) 
organizations.  As  a  component 
of  the  Commander  in  Chief, 
U.S.  Space  Command,  the  JTF- 


Anewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


CND  works  closely  with  each  of 
its  military  service  compo¬ 
nents,  regional  commanders  in 
chief  (CINC)  and  defense  agen¬ 
cies.  In  addition  to  the  military 
operations  and  systems  securi¬ 
ty  personnel  that  make  up  the 
JTF-CND,  the  DCIOs  have 
formed  a  joint  law  enforcement 
and  counterintelligence  center, 
co-located  with  the  JTF-CND, 
to  provide  LE  and  Cl  support  to 
CND. 

Again,  the  emerging  threats 
of  network  attacks  and  exploita¬ 
tion  have  resulted  in  the  forma¬ 
tion  of  nontraditional  organiza¬ 
tional  partnerships  and 
necessitated  the  sharing  of  in¬ 
formation  across  organizational 
boundaries  to  meet  and  defeat 
these  threats.  Within  DoD,  co- 
location  of  diverse  expertise 
and  responsibilities  from  the 
information  security,  military 
operations,  LE,  and  intelli¬ 
gence  organizations  has  result¬ 
ed  in  close  collaboration  con¬ 
cerning  the  information 
needed  to  protect  our  informa¬ 
tion  infrastructures.  Flowever, 
if  this  collaboration  is  to  be  suc¬ 
cessful,  there  must  be  recogni¬ 
tion  of  the  organizational  re¬ 
sponsibilities  and  the  benefits 
that  the  organizational  element 
brings  to  the  problem  set.  This 
is  especially  true  for  the  LE  and 
Cl  communities.  The  win-lose 
perspective  of  “national  securi¬ 
ty  versus  law  enforcement”  sig¬ 
nificantly  hampered  coordina¬ 
tion  and  cooperation  among 
traditional  military  operators, 
information  system  security 
professionals,  law  enforce¬ 
ment,  and  counterintelligence 
organizations.  This  reluctance 
to  share  information  on  ongo¬ 
ing  investigations  stems  from  a 
concern  that  the  target  of  the 
investigation,  or  the  adversary, 
could  be  alerted  to  the  investi¬ 


http://iac.dtic.mil/iatac 


gation  and  destroy  evidence  or 
alter  his  or  her  activity  to  avoid 
arrest  and  prevent  a  successful 
prosecution.  Law  enforcement 
professionals  in  the  computer 
intrusion  environment  will 
have  to  fight  against  this  under¬ 
standable  reluctance  if  we  are 
to  succeed  in  our  pursuit,  and 
assist  in  the  protection  of  the 
national  information  infra¬ 
structure.  In  addition,  technical 
security  professionals  and  the 
operations  communities  of  gov¬ 
ernment  and  business  must 
recognize  the  benefits  and  ad¬ 
vantages  that  LE  and  Cl  organi¬ 
zations  bring  to  defending  com¬ 
puter  networks. 

During  the  initial  stages  of  a 
network  intrusion,  the  systems 
administrator  has  the  opportu¬ 
nity  to  gather  or  capture  valu¬ 
able  information  from  intru¬ 
sion  detection  systems  or 
systems  logs  that  will  later  ben¬ 
efit  technical  analysis  and  aid  a 
law  enforcement  investigation 
and  subsequent  forensics 
analysis  of  the  attacked  system. 
The  systems  administrator 
should  conduct  all  actions  pos¬ 
sible  and  permissible  to  him  or 
her  under  the  Electronic  Com¬ 
munications  Privacy  Act 
(ECPA).  ECPA  permits  network 
owners  to  conduct  certain  ac¬ 
tivities  to  protect  and  defend 
the  health  and  welfare  of  their 
networks.  However,  network 
owners  and  administrators 
should  also  recognize  that  most 
intrusions  are  also  violations  of 
Federal  law.  This  recognition 
allows  network  owners  and  ad¬ 
ministrators  to  avail  them¬ 
selves  of  the  greater  authorities 
and  powers  granted  to  law  en¬ 
forcement  organizations.  LE  or¬ 
ganizations  will  typically  re¬ 
spond  to  reports  of  system 
intrusions  by  using  criminal  in¬ 
vestigative  authorities.  In  the 


event  of  an  attack,  the  network 
owner  must  decide  whether  to 
immediately  shut  down  the  af¬ 
fected  system  or  network  or  to 
allow  continued  monitoring  of 
the  intrusion  activity  by  law 
enforcement.  Continued  moni¬ 
toring  of  the  intrusion  activity 
may  present  an  opportunity  to 
trace  the  hacker's  route  and 
glean  valuable  intelligence 
about  the  tools  and  techniques 
being  exploited  by  the  hacker. 
The  investigative  tools  used  by 
law  enforcement  include  offi¬ 
cial  requests  for  information, 
criminal  subpoena,  court  or¬ 
ders  for  records,  search  war¬ 
rants,  and  undercover  opera¬ 
tions.  Additionally,  Federal  law 
enforcement  maintains  close 
partnerships  with  counterpart 
agencies  all  over  the  world  and 
will  frequently  request  the  as¬ 
sistance  of  foreign  counterparts 
if  an  intrusion  activity  appears 
to  pass  through,  or  originate 
from,  other  countries. 

This  does  not  mean,  howev¬ 
er,  that  a  law  enforcement  in¬ 
vestigation  is  not  a  matter  of 
national  security.  Particularly 
where  DoD  systems  and  net¬ 
works  are  the  victim  of  root- 
level  intrusions,  the  DCIOs  [Air 
Force  Office  of  Special  Investi¬ 
gations  (AFOSI),  National 
Crime  Intelligence  Service 
(NCIS),  Defense  Criminal  In¬ 
vestigative  Service  (DCIS),  U.S. 
Army  Criminal  Investigation 
Department  (USACID),  and 
U.S.  Army  Military  Intelligence 
(USAMI)]  approach  all  such  ac¬ 
tivity  as  a  matter  of  national  se¬ 
curity  because  of  the  potential 
impact  on  U.S.  military  opera¬ 
tions  and  the  sensitivity  of  the 
information  contained  in  DoD 
networks.  However,  current 
laws  and  policies  require  that 
we  first  use  the  investigative 
tools  and  authorities  of  a  crimi- 


lAnewsletter  •  Volume  3,  Number  4 


23  p 


SOCOM  NOSC 

continued  from  page  16 

ways  for  unauthorized  users  to 
gain  access  to  computer  sys¬ 
tems.  USSOCOM  launched  a 
program  to  ensure  that  its 
users'  passwords  are  properly 
configured  to  reduce  the  risk  of 
unauthorized  access.  In  addi¬ 
tion,  all  users  are  required  to 
receive  computer  security 
training  before  gaining  access 
to  any  USSOCOM  system.  US¬ 
SOCOM  then  runs  periodic 
programs  to  attempt  to  crack 
users’  passwords.  If  a  password 
is  cracked,  the  user  must  go 
through  a  prescribed  process  to 
regain  access  to  USSOCOM  sys¬ 
tems.  . 

The  USSOCOM  NOSC  pro¬ 
vides  the  command  with  an  or¬ 
ganization  that  can  monitor  its 
.  networks  fur  any  type  of  trou¬ 
ble.  If  problems  occur,  the 
fc.  whether 
soft- 
and 
to  fix 
ping  its 
gspfction  and 
SC,  USSOCOM 
is  ready  to'^provide  its  cus¬ 
tomers  with  better  and  more 
secure  service,  making  it  easier 
for  USSOCOM  s  forces  to  carry 
out  their  diverse  missions. 

Major  Jordan  is  the  Chief  of  the 
Enterprise  Systems  Branch  for  USSO 
COM.  As  (he  branch  chief  Major  Jordan 
is  responsible  for  the  operations  and 
mainienace  of  USSOCOM  s  intelligence , 
collateral .  and  unclassified  computer 
systems,  lie  received  his  B.S.  in  mathe¬ 
matics  with  a  computer  concentration 
from  the  University  of  Noire  Dame  and  a 
M.S.  in  Computer  Science  from  the 
University  of  Davton.  lie  may  be 
leached  at  jot  danj GPsocoi n.  mil. 


<  24 


Law  Enforcement 


continued  from  pane  23 

nal  investigation  before  we  use 
the  authorities  of  the  Foreign 
Intelligence  Surveillance  Act 
(FISA)  or  conduct  a  counterin¬ 
telligence  investigation.  The 
primary  purpose  of  this  re¬ 
quirement  is  to  ensure  that  our 
national  intelligence  agencies, 
including  counterintelligence, 
do  not  unlawfully  collect  sensi¬ 
tive  information  about  U.S.  per¬ 
sons,  as  defined  in  Executive 
Order  12333. 

For  this  LE/CI  process  to 
work  effectively,  law  enforce¬ 
ment  and  counterintelligence 
organizations  must  be  able  to 
provide  technically  relevant  in¬ 
formation  to  the  systems  secu¬ 
rity  and  operations  community 
during  an  investigation.  At  the 
same  time,  system  owners  and 
information  security  personnel 
must  respect  the  need  of  LE 
and  Cl  organizations  to  with¬ 
hold  some  specific  information 
about  the  investigation  such  as 
the  identity  of  the  suspects, 
confidential  source-related  in¬ 
formation,  and  information 
that  was  derived  from  a  grand 
jury  subpoena  or  an  electronic 
intercept  order.  Each  compo¬ 
nent  involved  in  an  intrusion 
incident  must  recognize  the  in¬ 
terests  of  the  other  compo¬ 
nents  and  work  in  collabora¬ 
tion  with  them  to  resolve  the 
incident.  The  information  se¬ 
curity  community  must  recog¬ 
nize  that  the  law  enforcement 
investigative  process  is  me¬ 
thodical  and  somewhat  slow  by 
nature  to  ensure  the  liberties 
that  we  enjoy  in  our  democra¬ 
cy.  System  owners  and  opera¬ 
tors  must  recognize  the  value 
of  deterring  further  network  in¬ 
trusions  through  successful  in¬ 


3,  Number  4 


vestigations  and  prosecutions 
of  criminal  hackers.  Where  for¬ 
eign  governments,  intelligence 
services,  or  terrorist  organiza¬ 
tions  are  found  to  be  responsi¬ 
ble  for  intrusions  and  exploita¬ 
tion  of  networks,  Cl  operations 
designed  to  gather  information 
and  manipulate  the  adversary's 
perceptions  may  be  the  most 
effective  method  of  defending 
the  national  information  infra¬ 
structure. 

Our  national  information  in¬ 
frastructure  will  continue  to  be 
a  viable  target  of  criminals,  in¬ 
telligence  operatives,  terrorists, 
and  nation-sponsored  informa¬ 
tion  warfare  for  the  foreseeable 
future.  The  DII  presents  an  at¬ 
tractive  target  for  each  of  these 
groups  for  a  variety  of  reasons. 
To  successfully  defend  the  DII, 
we  need  to  maintain  a  robust 
team  of  technical  security  pro¬ 
fessionals,  military  operators, 
intelligence  officers,  and  law 
enforcement  and  counterintel¬ 
ligence  investigators.  This 
team  will  continue  to  develop 
the  process  by  which  it  shares 
information  across  organiza¬ 
tional  boundaries  to  protect 
and  defend  the  DII,  and  will  ag¬ 
gressively  pursue  those  who  at¬ 
tempt  to  illegally  penetrate  the 
infrastructure.  Law  enforce¬ 
ment  and  counterintelligence 
support  to  CND  is  a  matter  of 
force  protection  and  is  critical 
to  forming  a  common  opera¬ 
tional  picture  of  the  threats  af¬ 
fecting  the  security  of  our  mili¬ 
tary  operations. 

Supervisory  Special  Agent  Michael  R. 
Dorsey  recently  completed  his  duties  as 
the  Chief  of  the  DCIO  CND  Law 
Enforcement  &  Counterintelligence 
Center  He  may  be  reached  at  his  current 
assignment  at  MDorsey@  ncis.navy.mil. 


lAnewsletter 


Vol  u  m 


http://iac.dtic.mil/iatac 


Information  Assurance  Training 


at  the  U.S.  Army's 
Computer  Science  School 


Because  of  the  increasing 
number  of  information 
warfare  attacks  directed  against 
the  Department  of  Defense 
(DoD),  the  U.S.  Army  has  is¬ 
sued  several  directives  concern¬ 
ing  security  training  for  system 
administrators  (SA)  and  net¬ 
work  managers  (NM).  The  di¬ 
rectives,  originating  from  the 
Army’s  Director  of  Information 
Systems  for  Command,  Control, 
Communications,  and  Comput¬ 
ers  (DISC4),  require  that  all 
Army  military,  government, 
and  civilian  SAs  and  NMs  be 
trained  in  information  systems 
security,  depending  on  their  ex¬ 
perience  and  skill  levels. 

One  DISC4  directive  states 
that  all  Army  SAs  and  NMs  will 
be  trained  and  Phase  1  Informa¬ 
tion  Assurance  (IA)  certified. 
All  Army  SAs  and  NMs  with  3 
or  more  years  of  experience 
will  be  trained  to  the  Phase  2 
level  and  Phase  2  I A  certified. 
The  deadline  for  Phase  1  and 
Phase  2  IA  certification  is  De¬ 
cember  2000. 

The  U.S.  Army’s  Computer 
Science  School  (CSS)  at  Fort 
Gordon  is  conducting  computer 


security  training  to  meet  Phase 
1  and  Phase  2  IA  certification 
requirements.  The  primary 
goal  of  this  security  training  is 
to  increase  the  ability  of  Army 
SAs,  NMs,  and  Information  Sys¬ 
tem  Security  Officers  (ISSO)  to 
protect  friendly  information 
systems  by  preserving  the  con¬ 
fidentiality,  integrity,  and  avail¬ 
ability  of  the  systems  and  the 
information  they  contain. 

The  CSS  offers  a  free  Web- 
based  ISSO  course  requiring  ap¬ 
proximately  20  to  40  hours  to 
complete.  The  course,  includ¬ 
ing  the  test  and  certificate  gen¬ 
eration,  is  completely  Web 
based  and  is  considered  equiva¬ 
lent  to  Phase  1  IA  certification 
by  DISC4.  Approximately  2,000 
persons  have  taken  the  ISSO 
course  and  passed  the  ISSO 
Web-based  examination.  The 
course  is  located  on  the  Web  at 
www.gordon.army.mil/css/css 
/courses,  htm. 

The  CSS  also  conducts  the 
majority  of  Phase  2  I A  certifica¬ 
tion  training  for  the  U.S.  Army. 
Phase  2  security  certification 
consists  of  two  1-week  courses, 
usually  conducted  in  sequence. 


I  Major  Mark  V.  Hoytf  USA 
|  Fort  Gordon _ 

The  first  week  of  Phase  2  se¬ 
curity  certification  is  called  the 
System  Administrator’s  Security 
(SAS)  course.  This  course  focus¬ 
es  on  securing  the  information 
system  platform.  The  first  4 
hours  of  the  course  are  spent 
primarily  on  reviewing  army 
regulations,  public  law,  and  ac¬ 
cess  control  measures.  After  the 
first  half  day,  the  course  focuses 
on  securing  the  information 
system’s  platform  by  securing 
the  operating  system  that  runs 
the  system.  During  the  SAS 
course,  15  hours  are  spent  on 
hands-on  training  in  securing 
Windows  NT  platforms.  The 
final  14  hours  of  the  course  are 
spent  on  hands-on  training  in 
securing  UNIX  platforms  (using 
Solaris  2.6). 

The  second  week  of  Phase  2 
security  certification  is  called 
the  Network  Manager’s  Security 
(NMS)  course.  This  course  fo¬ 
cuses  on  network  security.  The 
first  day  provides  background 
information  on  the  Army’s 
Computer  Emergency  Response 
Team,  the  Network  Security  Im¬ 
provement  Program,  a  briefing 
by  a  counterintelligence  agent, 
and  an  overview  of  common 
network  and  information  sys¬ 
tem  threats.  The  second  day  fo¬ 
cuses  first  on  cryptography  and 
then  on  how  to  secure  a  Web 
server  (an  Internet  Information 
Server  is  used  for  the  hands-on 
training) .  The  third  day  focuses 
on  the  use  of  routers  to  secure 
networks,  with  hands-on  train¬ 
ing  conducted  on  CISCO 
routers.  The  fourth  day  of  the 
continued  on  page  3d 


Level  1  SA/NM 
(Classified  System) 

31  Jan  1999 

Not  Required 

Level  1  SA/NM 
(Unclassified  System) 

31  Dec  2000 

Not  Required 

Level  2/3  SA/NM 
(Classified  System) 

31  Jan  1999 

31  Dec  2000 

Level  2/3  SA/NM 
(Unclassified  System) 

31  Dec  2000 

31  Dec  2000 

http://iac.dtic.mil/iatac  lAnewsletter  •  Volume  3,  Number  4 


25  ► 


That's  NOT  My  Final  Answer... 

Your  PKI  Help  Desk  Solution 
and  the  Answers  You  Need. 


Ms.  Victoria  Alkema,  DISA  Defense 
Enterprise  Computing  Center  Detachment 


The  Public  Key  Infrastruc¬ 
ture  (PKI)  program  is  a 
DoD  wide  team  effort.  The  PKI 
Program  Management  Office 
(PMO)  leads  the  effort,  and  is 
supported  by  the  engineers 
who  design  and  implement  the 
changes.  You— our  customers— 
are  critical  to  implementing 
the  PKI  technology  and  the 
Help  Desk  stands  ready  to  as¬ 
sist  you. 


terprise  Computing  Center 
(DECC)  Detachment  Cham- 
bersburg  and  stands  ready  to 
assist  you. 

Because  of  the  vastness  of 
potential  issues,  the  Help  Desk 
is  limited  to  assisting  in  obtain¬ 
ing  End  User,  Local  Registra¬ 
tion  Authority,  Registration  Au¬ 
thority,  and  Server  Certificates, 
and  will  troubleshoot  connec¬ 
tivity  issues.  When  you  suc¬ 
cessfully  obtain  the  certificate, 
the  actual  implementation  and 
usage  will  be  based  on  vendor- 


What  can  I  expect? 

When  you  initiate  a  call  to 
the  PKI  Help  Desk,  there  is  no 
need  to  apologize  for  not  un¬ 
derstanding  the  problem  or 
having  to  contact  us.  We  are 
quick  to  dispel  these  thoughts, 
for  that  is  contrary  to  our  pur¬ 
pose,  which  is  to  assist  all  DoD 
personnel  in  obtaining  their 
PKI  certificates.  Your  PKI  Help 
Desk  is  located  at  Defense  En¬ 


specific  guidance.  The  Help 
Desk  is  not  unequivocally  re¬ 
sponsible  for  that  assistance, 
but  does  maintain  a  knowl¬ 
edge-base  of  some  of  the  more 
popular  "lessons  learned"  from 
others’  implementations.  That 
information  can  be  easily  re¬ 
called  from  our  knowledge¬ 
base  and,  if  available,  offered  to 
further  your  investigation. 


26 


lAnewsletter 


Volume  3,  Number  4 


The  PKI  Help  Desk  is  staffed 
by  technicians  ready  to  assist 
24x7,  and  may  be  reached  by 
phone  at  1.800.582.4764,  com¬ 
mercial  717.267.5690  (DSN  570) 
or  by  E-mail  at  WEBLOG  @ 
chamb.disa.mil.  When  you  call, 
a  technician  will  listen  to  your 
situation,  ask  a  few  questions, 
and  open  a  trouble  ticket. 
Should  you  choose  to  E-mail 
the  Help  Desk,  please  include 
your  telephone  number,  IP  ad¬ 
dress,  10  character  unique 
identification  number  (if 
known) ,  and  a  detailed  descrip¬ 
tion  of  the  problem.  Also  in¬ 
clude  the  most  convenient 
time  to  contact  you,  and  we 
will  attempt  to  comply.  This 
trouble  ticket  is  important,  for 
it  allows  the  technician  to 
record  details  of  your  technical 
problem,  our  information,  up¬ 
dates,  and  final  resolution. 

If  the  technician  is  unable  to 
find  an  existing  instance  of 
your  problem,  you  are  likely  to 
be  connected  to  a  senior  tech¬ 
nician  at  that  time.  The  origi¬ 
nal  technician  will  remain  on 
the  line  to  hear  the  problem 
resolution  process  and  obtain 
the  solution.  Most  often,  the 
situation  can  be  resolved  over 
the  phone,  but  occasionally  it 
requires  more  in-depth  analy¬ 
sis  and  assistance.  However, 
the  resolution  will  rarely  take 
more  than  a  day.  Whatever  the 
case,  the  ticket  remains  open 
until  you  are  satisfied  and  con¬ 
cur  with  closure,  otherwise  the 
ticket  returns  to  the  senior 
technician  to  continue  the 
work. 


http://iac.dtic.mil/iatac 


Am  I  the  only  one? 

The  PKI  Help  Desk  staff 
have  been  performing  these 
specific  services  for  over  two 
years  and  have  compiled  a  vast 
knowledge-base  of  customer  re¬ 
lated  issues.  The  questions 
cover  a  wide  spectrum— from 
novice  users  to  a  system  engi¬ 
neers.  The  PKI  hierarchy  is  the 
end  user  will  contact  the  Local 
Registration  Authority  (LRA); 
the  LRA  would  contact  his  Reg¬ 
istration  Authority  (RA);  and 
ultimately  the  RA  will  contact 
the  Help  Desk.  Since  there  are 


Class  3  PKI  Pilot  Architecture 

less  than  one  hundred  RAs  and 
about  four  hundred  LRAs,  fol¬ 
lowing  the  defined  hierarchy 
can  better  assist  the  potential 
3.2  million  DoD  end-users.  We 
realize  that  is  not  always  possi¬ 
ble  and  will  respond  to  all  calls 
accordingly.  If  you  do  not  know 


http://iac.dtic.mil/iatac 


who  your  LRA  or  RA  is,  please 
contact  us  and  we  can  assist 
you. 

Each  CINC/Service/Agency 
(C/S/ A)  is  assigned  an  official 
point  of  contact  (POC)  for  PKI 
technical  representation.  The 
POC  list  is  maintained  by  the 
PKI  PMO  and  is  provided  to  our 
Help  Desk.  The  Help  Desk  uti¬ 
lizes  a  technical  representative 
when  an  issue  arises  unique  to 
C/S/A.  These  representatives 
are  actively  participating  in  the 
PKI  technical  groups,  repre¬ 
senting  your  interests,  and  are 


critical  to  the  Help  Desk  and 
you.  If  the  Help  Desk  cannot 
arrive  at  a  resolution,  the  sub¬ 
ject  is  referred  to  the  PKI  PMO, 
who  is  a  constant  source  of 
guidance. 

The  Help  Desk  offers  you 
the  additional  benefit  of  other 
DoD  partners’  information  dur¬ 
ing  research.  As  desktop  soft¬ 


ware  evolves,  we  are  continual¬ 
ly  reviewing  other  knowledge¬ 
bases,  FAQs,  and  help  sites 
readily  advising  callers  of  infor¬ 
mation.  The  PKI  PMO  is  con¬ 
tinually  posting  changes  to  the 
PKI  Web  site  http://iase. 
disa.mil.  This  is  truly  a  net¬ 
work  of  knowledge  and  we  are 
pleased  to  assist  you  in  finding 
the  answer. 

When  a  situation  requires 
the  information  be  widely  dis¬ 
seminated  to  the  DoD  PKI 
users,  an  E-mail  broadcast  mes¬ 
sage  is  generated  from  our 
Help  Desk.  This  is  always  in 
compliance  of  the  PKI  PMO 
policy  of  advising  of  changes, 
updating  status  and/or  giving 
guidance.  The  PKI  PMO  and 
the  Help  Desk  work  closely  in 
preparing  announcements  and 
responding  to  customer  report¬ 
ed  difficulties. 

The  trouble  ticket  informa¬ 
tion  you  supply  is  read  by  the 
PKI  PMO  weekly.  This  infor¬ 
mation  is  analyzed  by  the  PKI 
PMO  and  engineers  and  may 
determine  a  program  change  or 
identify  a  training  weakness. 
Contacting  the  PKI  Help  Desk 
should  never  be  viewed  a  weak¬ 
ness,  but  a  contributory 
strength  to  the  entire  DoD  PKI 
team  effort.  We  appreciate  you, 
our  customers,  and  look  for¬ 
ward  to  your  call. 

Victoria  Alkema  is  the  Defense 
Information  Systems  Agency  PKI  Project 
Lead,  located  at  Defense  Enterprise 
Computing  Center  Detachment,  in 
Chambershurg  Pennsylvania.  She  is  con¬ 
tinually  in  touch  with  PKI  program  man¬ 
agement  office,  training  coordinators, 
and  System  Engineers  to  facilitate 
smooth  operations  and  resolve  customer 
reported  outages .  A  trained  team  of  PKI 
colleagues  and  team  members  make  this 
PKI  Help  Desk  successful. 


lAnewsletter  •  Volume  3,  Number  4 


CJHfr  rtiicate  Autbarity  Scnwr 
DS-Dimctcry  Si  mt 


iSA-tosai  ftffistraliQs  Aalfiwritf 


27  ► 


Marine  Corps  Active 
Computer  Network  Defense 

The  Changing  Face  of  Warfare 


?They  will  attack  us  asymmetrically ,  pitting  their  strength  against 
■  weakness ,  whether  that  lies  in  the  military,  political  or  domes - 
Wic  realm.  For  example,  in  future  conflicts,  data  lines  of  communica¬ 
tion  may  be  just  as  important  as  sea  lines  of  communication— and 
our  adversaries,  whether  they  am  third  world  nations,  transnation¬ 
al  actors,  or  crime  syndicates,  will  attack  them.  ” 

—General  Krulak,  31*  Commandant  of  the  Marine  Corps 


L 


Captain  Carl  Wright,  USMC 
Major  Ted  Steinhauser,  USMC  (Ret) 


immediate  recovery  techniques 
will  become  the  critical  success 
factor  in  the  new  cyber  defense 
model. 


Today’s  enthusiastic  and  un¬ 
paralleled  consumption  of 
information  technology  by  cor¬ 
porate  America  and  govern¬ 
ment  has  created  superior  en¬ 
terprise-scale  business  process 
capabilities.  However,  in  the 
rush  to  exploit  the  advances  in 
information  technology,  an  evo¬ 
lutionary  vulnerability  has  de¬ 
veloped  in  connection  to  the  in¬ 
terdependencies  these  systems 
rely  on  to  function  in  the  global 
arena.  From  both  the  corporate 
and  the  DoD  perspectives,  the 
enterprise  approach  to  defend¬ 
ing  the  venture  capability  has 
become  the  predominant 
weapon  in  the  system  security 
arsenal.  This  article  will  briefly 
explore  the  Active  Computer 
Network  Defense  (ACND) 
model  in  relation  to  the  Marine 
Corps’  success  in  defending 
both  garrison  and  deployed  tac¬ 
tical  environments. 

Overview 

Significant  progress  has  been 
made  in  defining  and  articulat¬ 
ing  the  effects  of  information 
warfare,  or  cyberwar,  on  the 
global  information  grid  (GIG). 
The  majority  of  these  studies 
concern  the  information  revolu¬ 
tion,  the  changing  face  of  war¬ 


fare,  and  DoD’s  need  to  develop 
security  procedures  that  ensure 
that  information  is  available  to 
commanders  when  required. 

Today’s  cyber  defense  efforts 
indicate  that  although  organiza¬ 
tions  are  striving  to  enhance 
their  security  posture  through 
the  use  of  boundary-level  secu¬ 
rity  devices  (e.g.,  firewalls), 
their  focus  remains  myopically 
on  protecting  the  “front  door"  or 
forward  edge  of  the  battle  area. 
Cyber-centric  maneuver  war¬ 
fare  implies  that  the  adversary 
will  not  attempt  to  effect  change 
or  impact  via  direct  frontal  as¬ 
saults  on  information  technolo¬ 
gy  assets,  but  is  far  more  likely 
to  conduct  guerilla-type  infor¬ 
mation  warfare,  penetrating  soft 
targets  while  ensuring  that  the 
defender’s  limited  security  re¬ 
sources  are  engaged  elsewhere. 
The  implication  is  that  the  ad¬ 
versary  will  obtain  access  to  tar¬ 
geted  systems  by  means  of  well- 
orchestrated  electronic 

envelopment  and  distraction 
drills,  eventually  achieving  pen¬ 
etration  regardless  of  defensive 
security  initiatives.  Therefore 
enclave  compartmentalization, 
distributed  defense-in-depth 
mechanisms,  real-time  system 
battle  damage  assessments,  and 


Active  Computer 
Network  Defense 
(ACND)  Model 

ACND  is  predicated  on  the 
original  defense-in-depth 
model,  which  is  widely  used 
throughout  the  DoD  and  the 
Federal  Government.  The 
ACND  model  capitalizes  on  the 
multilayered  defensive  strategy 
of  defense-in-depth  by  incorpo¬ 
rating  enterprise  business 
processes,  strong  standardiza¬ 
tion,  and  configuration  control 
down  to  the  lowest  possible 
point  in  the  organizational  infor¬ 
mation  technology  infrastruc¬ 
ture.  The  more  centralized  this 
control,  the  more  formidable 
the  defense  posture  the  organi¬ 
zation  responsible  for  computer 
network  defense  (CND)  can  fos¬ 
ter.  The  ACND  model  helps  an¬ 
swer  the  “how”  of  developing, 
deploying,  and  sustaining  a  se¬ 
cure  homogeneous  enterprise 
network  in  a  heterogeneous  net¬ 
work  environment.  It  is  impor¬ 
tant  to  understand  that  ACND 
does  not  focus  solely  on  specific 
security  technologies,  but  is 
more  concerned  with  enterprise 
business  processes  and  how 
they  integrate  with  security 
technology  to  address  the  cyber- 


28 


lAnewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


centric  maneuver  warfare 
threat. 

In  order  to  fully  understand 
the  Corps’  ACND  posture,  a 
brief  overview  of  their  enter¬ 
prise  network  (The  Marine 
cyber  battlefield)  is  necessary. 
From  its  inception,  the  Marine 
Corps  Enterprise  Network 
(MCEN)  was  built  on  a  founda¬ 
tion  of  securable  technologies, 
enabling  centralized  control, 
sustainment,  protection,  and, 
most  importantly,  the  defense 
of  Corps  Information  Infrastruc¬ 
ture.  The  MCEN  ACND  process 
focuses  on  creating  centralized 
cross-functional  information 
technology  support  structures 
resident  with  the  Marine  Corps 
Information  Technology  &  Net¬ 
work  Operations  Center.  By 
means  of  24x7  monitoring  of  all 
MCEN  access  points  (see  figure 
below) ,  security-related  data 
and  logs  are  securely  transmit¬ 
ted  to  the  centralized  data  repos¬ 
itory  for  detailed  analysis  by 
highly  trained  Marines  support¬ 
ed  by  government  civilians  and 
contractor  personnel.  Depend¬ 
ing  on  the  situation,  corrective 
action  may  be  directed  by  the 
Commander  (COMMARFOR- 
CND)  after  the  situation  is  as¬ 
sessed  by  the  MARFOR-CND 
staff  at  which  time  the  defen¬ 
sive  response  may  be  enacted  at 
the  lowest  point  in  the  infra¬ 
structure,  the  user’s  desktop.  In 


concert  with  the  technological 
ability  to  direct  defensive  re¬ 
sponse  across  the  enterprise, 
the  ACND  response  process  pro¬ 
vides  real-time  defense  to 
MCEN  users  no  matter  where 
they  are  or  what  time  of  day  an 
incident  occurs. 

Deployed  Security 
Interdiction  Device 
(DSID) 

Technology  plays  an  instru¬ 
mental  part  of  the  Corps  ACND 
methodology.  From  its  initial 
use  in  protecting  and  defending 
the  MCEN  environment,  the 
Marine  Corps  has  expanded  the 
ACND  model  to  the  Fleet  Ma¬ 
rine  Force  (FMF)  for  use  in  the 
deployed  tactical  environment. 
The  Deployed  Security  Interdic¬ 
tion  Device  (DSID)  is  a  tightly 
integrated  package  of  best-of- 
breed  commercial  off-the-shelf 
technology  similar  to  that  of  the 
garrison  perspective,  that  direct¬ 
ly  supports  the  Marine  Corps’ 
ACND  process.  DSID  gives  the 
deployed  tactical  commander 
the  same  boundary-level  securi¬ 
ty  architecture  that  Marine 
Corps  forces  enjoy  in  the  MCEN 
garrison  environment.  Its  pri¬ 
mary  function  is  to  provide  a 
layered  defense  of  the  bound¬ 
ary-level  point-of-presence  tacti¬ 
cal  network.  The  DSID  package 
integrates  routers,  advanced  ac¬ 
cess  control  lists,  firewalls,  net¬ 


IBB  flocrf  B&ourft  MAI  Gutfintslafc  Cissctt 


Marine  Corps  Active  Computer  Network  Defense  Architecture 


work  intrusion  detection  sys¬ 
tems  (IDS),  host-level  IDS,  virtu¬ 
al  private  network  technology, 
and  vulnerability  assessment 
software,  to  provide  a  compre¬ 
hensive  enterprise  network  se¬ 
curity  system.  Currently,  DSID 
is  an  organic  asset  of  the  Marine 
Expeditionary  Force  Communi¬ 
cation  Battalion.  In  the  de¬ 
ployed  tactical  environment, 
the  DSID  infrastructure  resides 
between  the  Defense  Informa¬ 
tion  Systems  Agency’s  Strategic 
Tactical  Entry  Point  (STEP)  and 
the  deployed  unit’s  network  ar¬ 
chitecture  in  the  states.  DSID 
provides  the  deployed  comman¬ 
der  with  the  utility  of  joint  in¬ 
formation  systems  in  which  a 
deployed  unit  reaches  back  to 
leverage  information  stores  nor¬ 
mally  resident  within  the  garri¬ 
son  environment.  More  impor¬ 
tant,  DSID  provides  this 
capability  to  the  commander  in 
a  robust  secure  manner. 

In  conclusion,  the  Marine 
Corps’  enterprise  ACND  ap¬ 
proach  to  integrating  technolo¬ 
gy  and  security  core  competen¬ 
cies  has  laid  the  foundation  for 
the  first  deployed  tactical  CND 
system  business  process  within 
DoD.  The  Marine  Corps  ACND 
approach  ensures  the  integrity, 
availability,  and  confidentiality 
of  the  deployed  commander’s 
information  regardless  of  the 
commander’s  location,  foreign 
or  domestic. 


Captain  Wright  and  Mr.  Steinhauser 
have  been  actively  engaged  in  the  defense 
of  the  MCEN  since  the  conception  and 
establishment  of  the  Marine  Corps'  com¬ 
ponent  of  the  JTF-CND.  Captain  Wright 
may  be  reached  at  wrightcm 
@noc.usmc.mil  and  Mr.  Steinhauser  may 
be  recached  at  steinhauserth@ 

noc.usmc.mil 


29 


http://iac.dtic.mil/iatac 


lAnewsletter 


Volume  3,  Number  4 


Major  Boyles,  USAFR 

Imagine  you  are  logged  onto 
an  NT  workstation  as  a  user 
in  the  Domain  Admin  group. 
You  are  doing  research  on  mo¬ 
bile  code,  and  your  research 
takes  you  to  a  site  off  the  beat¬ 
en  path.  Without  your  knowl¬ 
edge,  the  registry  self-adminis¬ 
tered  maintenance  (SAM)  file 
from  your  workstation  is  E- 
mailed  to  an  account  at  one  of 
the  popular  free  E-mail 
providers.  Several  weeks  later 
your  network  experiences  seri¬ 
ous  problems.  The  network  ad¬ 
ministrator  tracks  those  prob¬ 
lems  to  a  remote  access  to  your 
network  by  someone  using 
your  account.  Oops. 

Or  perhaps  while  you  are 
surfing  the  Web,  a  script  called 
hack.bat  is  deposited  in  your 
Startup  menu.  The  next  time 
you  log  on  to  your  system  the 
hack.bat  script  runs  and 
changes  the  password  for  every 
user  on  your  network  and  the 
networks  of  all  trusting  do¬ 
mains,  including  the  password 
of  the  domain  administrator.  In 
addition,  every  NT  system  on 
the  network  has  a  strategic  file 
removed,  preventing  each  sys¬ 
tem  from  booting  up  after  a 
shutdown.  Finally,  every  NT 
system  on  the  network  is  re¬ 
motely  shut  down,  including 
yours.  Oops. 

Malicious  mobile  code  can 
do  this.  Should  you  be  worried? 
Yes.  You  put  your  system  and 
your  network  at  risk  every  time 
you  open  an  E-mail,  attach¬ 
ment  or  not,  and  every  time 
you  browse  the  Web. 

A  30  i 


ten  n  ^0?  cn 

Is  It  Worth  the  Risk? 

Warning  Signs  What  is  Mobile 

One  of  the  first  demonstra-  Code? 

tions  of  our  vulnerability  to  mo-  Mobile  code  is  any  exe- 
bile  code  occurred  in  January  cutable  or  interpreted  program, 

1997,  when  three  German  script,  or  application  that  is  in¬ 
hackers  showed  a  television  au-  troduced  to  a  local  system  from 

dience  how  a  Web  page  "click-  a  remote  location  and  executed 

bait"  could  use  an  ActiveX  con-  without  the  users  consent, 

trol  to  generate  a  clandestine  This  broad  definition  includes 

electronic  transfer  of  funds  the  viruses  that  were  once  com¬ 
using  Quicken.  monplace  on  floppy  disk  in  the 

In  1998,  users  of  Microsoft’s  days  of  stand-alone  computers 

Hotmail  and  QUACOMM  Inc’s  and  encompasses  viruses,  ap- 

Eudora  were  presented  with  a  plication  macros  (MS  Word,  MS 

Trojan  horse  logon  screen  gen-  Excel,  etc.),  files  executed  by 

erated  by  a  JavaScript  embed-  applications  such  as  Adobe  Ac- 

ded  in  their  E-mail.  When  the  robat,  Postscript  files,  and  some 

users  filled  out  the  logon  code  executed  by  Web  browsers 

screen,  the  account  informa-  or  E-mail  applications.  Mobile 

tion  and  the  Internet  Protocol  code  is  sometimes  referred  to 

(IP)  addresses  were  E-mailed  to  as  applets  or  downloadable 

the  author  of  the  hack.  code. 

The  recent  Guninski  Exploit  Mobile  code  is  not  in  itself 
demonstrated  how  accessing  a  bad.  In  fact,  it  is  a  cornerstone 
Web  page  or  opening  a  hyper-  of  client/server  computing.  It 
text  markup  language  enables  our  applications  and  al- 
(HTML) -formatted  E-mail  lows  us  to  create  dynamic  pro- 

could  allow  a  malicious  mobile  grams  even  if  we  are  not  skilled 

code  to  take  control  of  a  user’s  programmers.  Its  jazzes  up  our 

workstation.  This  exploit  used  Web  pages  and  E-mail  with 

the  “object  for  constructing  sound,  video,  and  animation; 

type  libraries  for  scriptlets”  Ac-  allows  on-line  chatting;  auto- 

tiveX  control.  mates  workflow;  and  enables 

The  computer  security  com-  Web  sites  to  automatically  up- 

pany  Finjan  now  offers  a  live  date  software  such  as  Windows 

demonstration  of  a  harmless  NT,  MS  Explorer,  and  antivirus 

Trojan  horse  called  Bill  Vote  At-  applications.  Mobile  code  is  be- 

tack,  which  demonstrates  how  coming  a  requirement  for  en- 

mobile  code  can  be  used  to  ere-  terprise  networking,  e-com- 

ate  a  new  folder  on  the  Win-  merce,  and  data  sharing.  The 

dows  desktop  filled  with  files  problem  is  security  and  pro- 

copied  from  the  hard  drive.  tecting  our  computer  systems 

and  networks  from  people  with 
malicious  intent.  Macro  virus¬ 
es,  such  as  Melissa,  are  now 


Anewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


considered  the  most  wide- 
spread  malicious  mobile  code 
on  the  Internet. 

For  the  sake  of  this  discus¬ 
sion,  let  us  refine  our  definition 
of  mobile  code  to  code  that  is 
transmitted  by  a  network.  If  I 
receive  an  E-mail  message  with 
an  executable  file-— say,  a 
game— attached,  I  have  the 
choice  of  executing  that  pro¬ 
gram  or  not.  This  is  not  mobile 
code  according  to  our  defini¬ 
tion.  Although  the  code  moved 
from  somewhere  in  cyber 
space  to  my  workstation,  I 
made  the  choice  of  executing  it, 
knowingly  assuming  the  risk 
that  the  game  might  contain 
malicious  content.  If,  on  the 
other  hand,  I  open  up  an  E- 
mail  and  inadvertently  execute 
a  code  written  in  JavaScript,  I 
have  experienced  mobile  code. 
Where  did  this  mystery  code 
come  from?  What  did  it  do? 
With  the  Web-enabled  E-mail 
applications  available  today, 
previewing  E-mail  may  be  all  it 
takes  to  give  away  protected  in¬ 
formation  or  to  crash  a  work¬ 
station  or  a  network.  For  exam¬ 
ple,  the  proof-of-concept  worm 
BubbleBoy  is  activated  simply 
by  viewing  an  affected  E-mail 
in  the  Preview  pane  of  Mi¬ 
crosoft  Outlook  or  Outlook  Ex¬ 
press.  This  worm,  when  acti¬ 
vated,  performs  a  mass  E-mail 
a  la  Melissa,  then  updates  the 
user’s  registry.  BubbleBoy  is 
written  in  Visual  Basic  Script 
(VBScript)  and  uses  Microsoft’s 
ActiveX  control  mobile  code. 

There  are  many  types  of 
Web-related  mobile  code.  Ex¬ 
amples  are  Microsoft’s  ActiveX, 
VBScript  and  Visual  Basic  for 
Applications  (VBA) ,  Sun  Mi¬ 
crosystem’s  Java  Applets  and 
JavaScript,  and  a  whole  slew  of 
plug-ins. 


Scripted  mobile  code,  such 
as  VBScript,  JavaScript,  LotusS¬ 
cript,  PerectScript,  and  VBA,  ar¬ 
rives  in  the  form  of  text  that 
must  be  interpreted  at  run 
time.  It  is  possible  to  discern 
the  scripted  text’s  potential  for 
harm  by  viewing  a  Web  page  or 
an  E-mail  source  or  macro. 

For  brevity’s  sake,  in  our  con¬ 
sideration  of  the  compiled  class 
of  mobile  code,  we  will  limit 
our  discussion  to  the  most  pop¬ 
ular  forms:  Java  and  ActiveX. 
Java  runs  in  most  Web 
browsers,  including  Netscape’s 
Communicator  and  Microsoft’s 
Internet  Explorer.  It  is  com¬ 
piled  into  an  intermediate,  ar¬ 
chitecturally  neutral  format 
called  byte  code.  This  byte  code 
must  be  executed  within  a  Java 
Virtual  Machine  (JVM)  in  order 
to  run.  JVM  is  included  in  most 
Web  browsers.  Currently  Ac¬ 
tiveX  is  exclusive  to  Explorer, 
although  it  will  run  with  a  plug¬ 
in  on  Communicator.  This 
code,  known  as  a  control,  has 
been  compiled  into  binary  spe¬ 
cific  32-bit  windows  and  is  es¬ 
sentially  the  same  as  the  Dy¬ 
namic  Link  Library  (DLL)  files 
that  are  common  to  all  Win¬ 
dows-based  workstations.  Ac¬ 
tiveX  is  the  most  powerful  of 
the  mobile  codes  and  therefore 
presents  the  greatest  risks.  It  is 
native  Windows  and  can  do 
anything  Windows  can  do,  de¬ 
pending  on  the  permissions  of 


the  user  (e.g.,  read,  write,  copy, 
and  delete  files;  run  applica¬ 
tions  and  APIs;  connect  to  net¬ 
work  resources;  send  E-mail). 

How  Mobile 
Code  Works 

When  you  browse  a  Web 
page  with  ActiveX  code  embed¬ 
ded  in  it,  you  are  trusting  the 
Web  page  to  do  the  right  thing 
and  not  take  advantage  of  you. 
When  you  connect  to  the  Web 
page,  code  is  downloaded  from 
the  Web  server  onto  your  com¬ 
puter’s  local  environment  and 
executed  on  your  workstation 
with  your  privileges  and  local 
system  resources.  This  allows 
you  to  interact  with  the  Web 
site,  enabling  you  to  fill  out  in¬ 
formation  and  send  it  back  to 
the  Web  server  for  processing, 
submit  forms,  open  spread¬ 
sheets,  execute  database 
queries,  and  perform  other  pro¬ 
ductivity-related  functions.  The 
mobile  code  running  on  your 
local  workstation  can  deter¬ 
mine  information  about  you— 
who  you  are,  your  permissions, 
your  group  membership— and 
grant  you  access  to  data  and  in¬ 
formation  without  your  need¬ 
ing  to  log  in  or  authenticate. 
This  is  most  valuable  in  an  in¬ 
tranet  environment,  where  ap¬ 
plications  are  Web  enabled  and 
run  on  the  server,  but  is  also 
valuable  for  Internet  use.  Mo¬ 
bile  code  saves  you  from  hav¬ 
ing  to  download  and  install  ap¬ 
plications  on  your  local 
workstation.  It  also  allows  ap¬ 
plications  to  manage  your  file 
system,  create  directories  and 
files,  update  your  registry,  and 
prepare  your  environment  for 
whatever.  In  addition,  mobile 
code  will  jazz  up  your  Web  ex¬ 
perience  by  creating  dynamic 
images  and  dialog.  Much  of 
what  mobile  code  does  can  be 


I A  ne  w  s  le  t  te  r 


31 


http://iac.dtic.mil/iatac 


Volume  3,  Number  4 


accomplished  by  server-side 
applications  with  the  use  of 
Java  servlets,  SQL,  CGI,  gif89s, 
and  many  other  helpful  tools. 
However,  a  downside  is  that 
server-only  Web  pages  are  re¬ 
source  intensive  and  require 
users  to  log  in  and  authenti¬ 
cate.  Without  authentication  all 
users  are  treated  the  same  by 
the  server  and  are  considered 
anonymous,  with  vastly  re¬ 
duced  privileges. 

Scripting  was  developed  be¬ 
cause  plain  HTML  wasn’t 
enough.  VBScript  and 
JavaScript  are  not  nearly  as 
powerful  as  ActiveX  but  still 
put  systems  at  risk.  Java  Ap¬ 
plets  present  the  least  threat 
because  they  employ  a  security 
wrapper  called  a  Sandbox. 

Guarding  Against 
Malicious  Mobile  Code 

The  risk  from  mobile  code 
can  be  mitigated  by  proper 
management.  What  this  entails 
depends  on  the  type  of  code. 

ActiveX  has  an  all-or-nothing 
approach  to  security  based  on 
digital  signatures  contained  in 
the  ActiveX  controls.  Your 
browser  can  be  configured  to 
allow  downloading  of  ActiveX 
controls  from  trusted  sources 
only,  based  on  these  digital  sig¬ 
natures.  Nontrusted  sources 
will  then  cause  your  browser  to 
prompt  you  if  you  want  to  run 
an  ActiveX  control.  All  ActiveX 
controls  run  with  the  same 
privileges,  regardless  of  their 
source.  In  my  experience,  only 
a  small  percentage  of  Web  sites 
(1  to  2  percent)  actually  have 
ActiveX  applications,  and 
choosing  not  to  run  ActiveX  ,  in 
most  cases,  prevents  only  a  sin¬ 
gle  action  from  occurring. 
Therefore,  the  Web  page  will 
continue  to  function  if  ActiveX 
does  not  run.  The  area  in 


which  ActiveX  mobile  code  is 
taking  off  is  Web-enabled  appli¬ 
cations,  such  as  MS  Access, 
running  on  a  server.  Even  then, 
preloading  ActiveX  will  prevent 
it  from  becoming  mobile  and 
being  downloaded  to  your  sys¬ 
tem.  A  good  security  practice  is 
to  disable  ActiveX  in  your  E- 
mail  and  to  require  your  brows¬ 
er  to  prompt  you  each  time  it  is 
requested.  Then  you  can  de¬ 
cide  in  each  case  whether  to  as¬ 
sume  the  risk.  In  the  future,  ex¬ 
pect  Department  of  Defense 
(DoD)  sites  to  restrict  ActiveX 
at  the  firewall  and  to  enforce  a 
policy  on  the  browser  of  “no  Ac¬ 
tiveX.”  This  practice  will  still 
allow  you  to  use  ActiveX  plug¬ 
ins  and  to  have  ActiveX  associ¬ 
ated  with  installed  applications 
through  DLLs,  just  not  mobile 
code. 

JavaScript  and  VBScript  are 
more  popular  than  ActiveX.  It 
is  estimated  that  more  than  80 
percent  of  Web  sites  contain  ei¬ 
ther  JavaScript  or  VBScript. 
These  active  scripts  still  repre¬ 
sent  some  risk  to  your  private 
information  and  system  and 
network  integrity.  Unlike  Ac¬ 
tiveX,  these  scripts  do  not  have 
associated  digital  signatures. 
However,  you  can  restrict  “Ac¬ 
tive  Scripting”  on  most  Web 
browsers,  although  doing  so 
may  severely  affect  Web  access 
and  many  Web  sites  may  not 
perform  properly  if  Active 
Scripting  is  disabled. 

Java  or  Java  Applets  were 
designed  from  the  ground  up 
with  security  in  mind.  Java 
uses  what  Sun  refers  to  as  a 
Sandbox.  Each  applet  is 
wrapped  by  a  set  of  rules  that 
prevents  it  from  accessing  sys¬ 
tem  resources.  Java  Applets 
therefore  may  not  interact  with 
file  systems.  There  are  only  10 
system  variables  that  Java  Ap¬ 


plets  can  retrieve.  These  vari¬ 
ables  are  needed  for  the  Java 
Applets  to  perform  their  job. 
This  still  represents  an  all-or- 
nothing  approach  to  security, 
because  no  distinctions  are 
made  based  on  the  level  of 
trust  associated  with  the  source 
of  each  applet.  The  biggest  risk 
is  associated  with  Java’s  com¬ 
plexity  and  known  security 
breakdowns.  Java  Applets  have 
been  around  for  a  long  time. 
They  have  reached  a  mature 
level  and  should  be  considered 
safe.  Unfortunately,  the  very 
things  that  make  Java  Applets 
safe  limit  their  usefulness  for 
enterprise  computing. 

On  the  Horizon 

Sun  is  extending  Java’s  secu¬ 
rity  to  include  more  ActiveX- 
like  capabilities  and  is  incorpo¬ 
rating  a  digital  signature  as 
well.  This  updated  version  is 
referred  to  as  the  Java  2  securi¬ 
ty  model.  Its  major  improve¬ 
ment  over  ActiveX  security  is 
the  assignment  of  different  per¬ 
mission  levels  based  on  local 
security  policy  and  trust  levels 
assigned  to  each  applet’s 
source.  These  improvements 
will  make  Java  Applets  more 
competitive  with  ActiveX,  but 
incorporates  many  of  the  same 
security  risks.  Not  one  to  give 
up  the  lead,  Microsoft  is  mak¬ 
ing  noises  about  extending  the 
security  model  for  ActiveX  as 
well. 

Other  mobile  code  that  puts 
your  systems  at  risk  includes 
MacroMedia’s  ShockWave,  Real¬ 
Networks’  RealPlayer,  Sun’s 
Save-Tcl,  and  other  plug-ins 
that  you  add  to  your  browser. 
When  you  connect  to  a  Web 
page  that  contains  code  requir¬ 
ing  one  of  these  plug-ins  to 
function  properly,  the  code  will 
be  downloaded  to  your  local 


Anewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


workstation  and  activate  the  as¬ 
sociated  plug-in.  If  you  have 
not  installed  the  particular 
plug-in,  your  browser  will  gen¬ 
erate  an  error  message.  These 
plug-ins  don’t  offer  the  same 
flexibility  as  ActiveX  but 
nonetheless  pose  some  risk. 
What  is  even  riskier  is  the 
plethora  of  new  plug-ins  that 
are  anticipated  in  the  near  fu¬ 
ture  as  more  and  more  compa¬ 
nies  try  to  market  to  the  Inter¬ 
net.  And,  hold  onto  your  hats, 
just  around  the  corner  is  the 
"mobile  agent,"  mobile  code 
that  can  jump  from  one  system 
to  another.  This  prospect  will 
be  reserved  for  a  future  discus¬ 
sion. 

It  is  likely  that  over  the  next 
18  months,  DoD  will  be  re¬ 
quired  to  replace  all  mobile 
code-enabled  Web  pages  on  its 
vast  network  of  over  2,500  pri¬ 
mary  Web  sites  with  server- 
only  Web  pages.  This  will  be  a 
tremendous  undertaking  but 
will  result  in  a  mobile 
code-free  environment. 

Achieving  this  will  set  the  stage 
from  the  next  step:  Forcibly  re¬ 
stricting  access  to  mobile  code 
on  all  DoD  networks. 

In  the  meantime,  an  ever 
growing  number  of  security 
products  on  the  market  provide 
some  level  of  protection  from 
malicious  mobile  code.  Some  of 
these  products  are  Finjan’s  En¬ 
terprise  Desktop  Security, 
SurfinGate,  and  SurfinShield; 
Trend  Micro’s  InterScan, 
WebProtect,  and  Web 
VirusWall;  and  Computer  Asso¬ 
ciates’  Unicenter  TNG,  Safe- 
Gate  (Security  7) ,  Safe  Agent 
(Security  7),  and  SessionWall. 

For  now,  what  can  and 
should  be  done?  The  following 
list  contains  some  reasonable 
precautions: 

•  Lock  down  your  browser. 


•  Include  only  those  plug-ins 
that  are  required  for  your  job. 
Entertainment  should  stay  at 
home. 

•  Set  your  browser  to  a  high 
security  setting. 

•  Prompt  for  ActiveX  and 
Active  Scripting.  Refuse  to 
accept  the  first  time  around. 
If  you  find  you  need  to  run 
the  mobile  code,  think  care¬ 
fully  before  you  try  it. 

•  Never  surf  as  a  privileged 
user  (Domain  Admin, 
Account  Operator,  etc.). 

•  Use  a  sanitized  machine. 
Never  surf  from  a  server  or 
system  containing  important 
data. 

•  Back  up  your  hard  drive 
often. 

•  If  prompted  to  open  or  save  a 
file,  always  save  executables, 
and  run  a  virus  scan  on  the 
file  before  and  after  execu¬ 
tion.  Be  careful;  compressed 
files  may  defeat  a  virus  scan. 

•  Don’t  assume  that  a  negative 
scan  means  you  are  safe. 
Virus  software  will  not  detect 
new  viruses,  Trojan  horses, 
or  unique  malicious  code. 

•  Network  administrators 
should  consider  ways  of 
restricting  mobile  code  at  the 
firewall. 

•  System  administrators 
should  consider  (1)  using 
third-party  software  that 
evaluates  mobile  code  for 
privileged  access  or  mali¬ 
cious  intent  and  (2)  preload¬ 
ing  ActiveX  code  needed  to 
support  known  Web-based 
applications. 

•  Developers  should  adopt 
server-only  solutions,  using 
development  software  such 
as  Cold  Fusion. 

•  Security  administrators 
should  issue  policies  and 
guidelines  on  the  use  of 
mobile  code. 


•  Users  should  receive  training 
concerning  the  risk  associat¬ 
ed  with  mobile  code  and  how 
to  manage  the  settings  in 
their  browser  software  to  mit¬ 
igate  these  risks. 

So,  Is  mobile  code  worth  the 
risk?  Yes.  But  only  if  you  fully 
understand  what  those  risks 
are  and  take  appropriate  mea¬ 
sures  to  protect  your  data,  your 
workstation,  and  your  network. 

References 

Angel,  Jonathan,  “Mobile  Code 
Security,”  NetworkMagazine.com, 
December  1999,  available  on-line 
at:  http:  //NetworkMagazine. com/ 
Blacharski,  Dan,  “Mobile  Code: 
Handle  with  Care,” 

NetworkMagazine.com,  December 
1999,  available  on-line  at: 

http://NetworkMagazine.com/ 
Brown,  Doug,  &  Spangler,  Tod,  “DoD 
Weighs  JavaScript  Ban," 

Inter@ctive  Week ,  November  22, 
1999. 

Clark,  Elizabeth,  “Mobile  Code  Safety,” 
NetworkMagazine.com,  December 
1999,  available  on-line  at: 

http://NetworkMagazine.com/ 
Ferris,  Nancy,  “DoD  Weighs  Ban  on 

Advanced  Web  Technology,” 

GovExec.com,  October  7,  1999, 
available  on-line  at: 

http://pov.exec.com/. 

“Frequently  Asked  Questions— Java 
Security,”  Java  Web  site,  available 
on-line  at:  lava.sun.com,  accessed 
July  22,  1998. 

Karve, Anita,  “Securing  Java  and 
ActiveX,"  NetworkMagazine.com, 
December  1998,  available  on-line 
at:  http://Net.workMagazine.com/ 
McGraw,  Gary,  &  Felten,  Ed,  Securing 
JAVA:  Getting  Down  to  Business  with 
Mobile  Code,  John  Wiley  &  Sons, 
Inc.,  January  1999. 

Mendel,  Brett,  “Mail  Hacks  Affirm 
Mobile  Code  Fear,”  LanTimes 
September  14,  1998. 

Nelson,  Matthew,  “ BubbleBoy  Worm 
Infects  without  Opening  File,” 
InfoWord  Services,  November  10, 
1999,  available  on-line  at: 
http://infoword.com/. 

Richardson,  Robert,  “Taking  a  Flying 
Leap,”  NetworkMagazine.com, 
December  1999,  available  on-line 
at:  http:  //NetworkMagazine.  com  A 


http://iac.dtic.mil/iatac 


I  Anewslette 


i 


33  ► 


Volume  3,  Number  4 


IA  Training 

continued  from  page  25 
course  focuses  on  firewalls, 
with  hands-on  training  on  the 
Raptor-Eagle  firewall.  The  final 
day  includes  an  introduction  to 
intrusion  detection  systems 
(IDS),  with  hands-on  training 
on  the  Real  Secure  IDS.  The  pri¬ 
mary  aim  of  the  router,  firewall, 
and  IDS  training  is  to  give  the 
S/Vs  and  NMs  hands-on  training 
with  these  network  security 
tools  so  that  students  know  the 
tools'  capabilities,  although  not 
necessarily  how  to  use  a  specif¬ 
ic  tool  or  application. 

The  main  goal  of  the  SAS  and 
the  NMS  courses  is  to  educate 
and  train  SAs  and  NMs  in  how 
to  secure  their  information  sys¬ 
tem  platforms  and  networks.  A 
secondary  goal  is  to  give  stu¬ 
dents  additional  resources  and 
reference  material  to  help  them 
secure  their  information  sys 
terns  at  their  duty  stations.  To 
support  this  secondary  goal,  in 
addition  to  the  2  weeks  of  train¬ 
ing,  each  student  is  given  hand 
outs,  including  an  NT  security 
checklist  and  a  UNIX  security 
checklist,  along  with  a  CD  that 
includes  all  class  material  and 
additional  references  and 
sources.  The  CSS  has  trained 
more  than  1,000  personnel  to 
the  Phase  2  I A  security  certifi 
cation  level. 

All  three  of  the  courses  de¬ 
scribed  above  are  continually 
changing  because  of  the  rapid 
changes  occurring  in  operating 
systems,  security  tools,  and  reg¬ 
ulations.  The  CSS  remains  com¬ 
mitted  to  providing  these  cours¬ 
es;  keeping  them  up  to  date; 
and  helping  ISSOs.  SAs.  and 
NMs  win  the  IA  battle. 

Major  Mark  V.  Hoyt  may  he  reached 
m  ho )  tm&gordon.arm)  \ mil. 


DISA  IPMO  Products 
Promote  Information 
Assurance  Worldwide 


Edward  Smith 


The  Defense  Information 
Systems  Agency  (DISA) 
Information  Assurance  Pro¬ 
gram  Management  Office 
(IPMO)  produces  award-win¬ 
ning,  interactive  CD-ROMS  and 
videos  for  use  by  information 
assurance  (IA)  professionals 
throughout  the  Department  of 
Defense  (DoD)  and  the  Federal 
Government.  With  titles  like 
Operational  Information  Sys¬ 
tems  Security  (OISS),  Cyber- 
Protect,  and  Federal  INFOSEC 
Awareness,  these  CD-ROMs 
seek  to  enhance  computer  se¬ 
curity  awareness  across  all  lev¬ 
els  of  every  government 
agency,  at  no  cost  to  the  user. 
More  than  175,000  of  these 
products  have  been  disseminat¬ 
ed  since  July  1997. 

Several  IPMO  products  have 
been  nominated  for  industry 
awards.  CyberProtect  was  a  big 
winner,  taking  two  of  NewMe- 
dia  magazines  1999  Gold  Invi¬ 
sion  Awards  (Best  Overall  De¬ 
sign  and  Technical  Training) 
and  the  1999  Cinema  in  Indus¬ 
try  (CINDY)  Competition  Silver 
Award.  CyberProtect  also  re¬ 
ceived  a  favorable  review  in 
Federal  Computer  Week  in  De¬ 
cember  1999. 

DISA  and  other  defense  orga¬ 
nizations  use  a  combination  of 
OISS,  DoD  INFOSEC  Aware¬ 
ness,  and  CyberProtect  in  the 
Level  1  certification  of  their 
system  administrators.  In  fact, 
these  products  have  been  so 
successful  in  reaching  and  edu- 


CyberProtect 


eating  the  end  user  that  several 
Federal  agencies  have  tailored 
IPMO  CD-ROMs  for  use  in  their 
organizations. 

New  products  are  in  the 
works,  including  Secret  and 
Below  Interoperability  (SABI) 
and  UNIX  Security  for  System 
Administrators.  These  new 
courses  will  be  Web  delivered, 
cutting  down  on  distribution 
costs  and  giving  users  instant 
Internet  access  to  the  informa¬ 
tion  and  to  product  updates. 

Finally,  the  IPMO  has  devel¬ 
oped  an  on-line,  automated 
product  order  form  that  will 
allow  paperless  receipt  and  dis¬ 
tribution  of  products.  To  order, 
the  user  simply  fills  out  the 
form  at  our  Web  site  and  sub¬ 
mits  the  order  electronically  to 
our  shipping  department.  In 
most  cases,  the  order  will  be 
sent  out  within  a  few  hours. 
Best  of  all,  the  user  can  track 
the  progress  of  the  shipment 
using  his  or  her  order  number 
or  E-mail  address. 

To  order  CD-ROMs  and 
videos  at  no  charge,  or  to  obtain 
a  complete  list  of  product  de¬ 
scriptions,  visit  our  new  Web 
site  at  http;//iase.disa.mil:88/ 
ProductOrder.html  or  use  the 
order  form  on  the  next  page. 


Number  4 


http://iac.dtic.mil/iatac 


INFOSEC  Training  and  Awareness  Products 


Order  Form 


INFOSEC  Program  Management  Office 

5113  Leesburg  Pike,  Suite  110 
Falls  Church  VA  22041-3204 


Attn*  PrnHiirt  nistrihutinri 


How  did  you  hear  about  our  products? 

o  World  Wide  Web  o  Word  of  Mouth 
O  ‘Conference  o  ‘Class  o  ‘Other 
‘Specify _ 

Customer  Information 

Name _ Title _ Date - 

Command/Org/Agency _ Dept/Mail  Code _ Phone:  ( - ) - DSN - 

Address _ Fax:  ( - ) - 

City _ State _ Zip+4 _ E-Mail _ 

NOTE:  If  you  have  ordered  IPMO  Products  before  and  your  address  has  changed,  mark  here  Q 

Mark  appropriate  organization: 

O  OSD  O  Joint  Staff  QCINC  (specify) _ 

O  Defense  Agency  (name) _ 

O  Non-Defense  Agency  (name) _ 

O  Government  Contractor  (Agency  contracting  with) 

O  Other _ 


OArmy  ONavy  O  Marines  Q  Air  Force  O  Coast  Guard 


Commercial:  703-681-7944/3476  DSN:  761 
Fax:  703-681  -1386 
E-mail:  DODIAETA@ncr.disa.mil 
Homepage:  http://www.disa.mil/infosec 


Order  Form 

Products  are  unclassified  and  available  at  no  cost.  Videos  may  be  reproduced  ( for  government  use  only)  without  further 
permission. 

Multimedia  CD-ROMs  Videos 


o  DODor...  Q  Federal  INFOSEC  Awareness,  V.1 
(Select  One) 

o  Operational  Information  Systems  Security 
(OISS),  Vols.  1  and  2,  V.1. 2  (Set  of  two) 

O  Fortezza  Installers  Course  for  Windows  NT  4.0,  V.1 

O  Introduction  to  the  DITSCAP.V.  1.1 

o  Information  Age  Technology,  V.1. 03 

o  I A  for  Auditors  and  Evaluators,  V.1. 04 

o  Designated  Approving  Authority  (DAA)  Basics,  V.1 

O  CyberProtect,  V.1  New! 

O  System  Administrator  Incident  Preparation  &  Response 

(SAIPR)  for  Windows  NT,  V.1.1  (for  System  Administrators)  New! 


O  Understanding  PKI  (DOD)  (13  min) 

r\  r—  Networks  at  Risk  (NCS)  (10  min) 

Information  Front  Line  (IW)  (1C)  (10  min) 

I—  Bringing  Down  the  House  (IW)(NSA)  (11  min) 

i—  Computer  Security  101  (DOJ)  (11  min) 

^  Computer  Security  -  The  Executive  Role  (DOJ)  (9  min) 
Safe  Data:  It’s  Your  Job  (DOL)  (19  min) 

I—  Think  Before  You  Respond  (US  Gov)  (3  min) 

o  r-  Protect  Your  AIS  (US  Gov)  (6  vignettes) 

Protect  Your  AIS,  The  Sequel  (US  Gov)  (30  min) 

Dr.  D  Stroye  (US  Gov)  (8  min) 

L  The  Scarlet  V  (US  Gov)  (7  min) 

O  Exploring  MISSI  (DISA/NSA)  (10  min) 


Upcoming  Products 

Information  Operation  Fundamentals  -  Winter  99 
(Multimedia  CD-ROM) 


http://iac.dtic.  mil/iatac 


Anewsletter  •  Volume  3,  Number  4 


Leveraging  the  Institution 


•  What  kind  of  documents  do  you  collect? 

•  How  do  I  find  out  about  inquiries  you've  processed? 

•  What  scientific  and  technical  information  (STI)  has 
been  developed  through  the  TAT  program? 


Mr.  Robert  P.  Thompson 
Director,  IATAC 


These  questions  have  been 
generated  by  our  users  as 
they  seek  answers  to  their  In¬ 
formation  Assurance  (IA)  re¬ 
quirements.  To  support  our 
users  demand  for  additional  IA 
information,  IATAC  has  intro¬ 
duced  two  new  products  to  pro¬ 
mote  current  awareness  of 


IATAC  products  and  services: 
Collection  Acquisitions  CD- 
ROM  and  the  Quarterly  Bul¬ 
letin. 

IATAC  is  chartered  to  collect 
IA-related  STI.  Our  collection 
activities  are  focused  on  an  es¬ 


tablished  set  of  resources  from 
the  research  and  development 
(R&D),  policy,  acquisition,  and 
operational  communities  that 
have  traditionally  produced  IA- 
related  STI.  In  an  effort  to 
transfer  that  knowledge  to  the 
I A  community,  IATAC  has  gen¬ 
erated  a  CD-ROM  of  new  acqui¬ 
sitions  to  the  IA  collection.  Pro¬ 
duced  on  a  bi-annual  basis,  the 
initial  Collection  Acquisitions 
CD-ROM  includes— 

•  Joint  Vision  2020 

•  Kosovo  After-Action  Report 

•  Information  Assurance 
Legal,  Regulatory,  Policy  and 
Organizational  Considera¬ 
tions 

•  Joint  Staff  Defense  in  Depth 
Brochure 

•  Defending  America’s 
Cyberspace  National  Plan 
for  Information  Systems 

•  And  More.... 

To  obtain  a  copy  of  the  IA 
Collection  Acquisitions  CD- 
ROM,  simply  complete  the 
IATAC  order  form  (page  39) 
and  fax  it  to  us  or  download 
and  complete  the  product  form 
on  the  IATAC  home  page 
(http://iac.dtic.mil/ iatac) . 

Information  Analysis  Cen¬ 
ters  (IACs)  are  structured  such 
that  other  DoD  organizations 
can  leverage  the  results  of  pre¬ 


viously  acquired  STI  resulting 
from  the  inquiry  process  and 
the  technical  area  task  (TAT) 
program.  The  STI  developed  in 
response  to  technical  inquiries 
are  entered  into  the  acquisition 
holdings  for  further  access  and 
use  by  other  organizations  with 
similar  technical  questions.  In 
addition,  the  products  devel¬ 
oped  through  the  TAT  program 
are  entered  into  the  acquisition 
holdings  and  can  be  leveraged 
by  other  DoD  users  to  address 
their  IA  requirements.  Sec¬ 
ondary  distribution  of  TAT 
products  are  processed  in  ac¬ 
cordance  with  distribution 
statements.  To  further  dissemi¬ 
nate  information  developed 
through  the  inquiry  and  TAT 
programs,  IATAC  is  producing 
the  Quarterly  Bulletin  that  pro¬ 
vides  a  summary  of  inquiries 
and  identifies  new  STI  devel¬ 
oped  through  the  TAT  program. 
Contact  IATAC  via  E-mail  at 
iatac@dtic.mil  to  be  added  to 
the  distribution  list  for  the 
Quarterly  Bulletin. 

The  IATAC  Collection  Acqui¬ 
sition  CD-ROM  and  the  Quar¬ 
terly  Bulletin  are  a  result  of 
IATAC’s  continuing  examina¬ 
tion  of  ways  to  better  support 
the  DoD  IA  Community  and 
our  continuing  resolve  to  Sup¬ 
port  the  Warfighter! 


36 


lAnewsletter  •  Volume  3,  Number  4 


http://iac.dtic.mil/iatac 


i  l 


\3 

.S'"? 


"~L 


l . 

I . 


k.:;z 


1 0/1 A  Visualization  Technologies 


State  of  the  Art  (SOAR)  Report 


This  report  provides  a  syn¬ 
opsis  of  the  information 
visualization  industry,  the  in¬ 
dustry’s  associated  technolo¬ 
gies,  and  visualization  method¬ 
ologies.  It  is  written  for  a  broad 
audience,  principally  for  those 
unfamiliar  with  this  technolo¬ 
gy,  new  to  the  industry,  or 
seeking  visualization  capabili¬ 
ties  for  the  first  time.  This  re¬ 
port  is  written  for  system  users. 
Visualization  is,  by  nature, 
user-centric.  Visualization  tech¬ 
nologies,  for  example,  allow 
users  to  interact  with  informa¬ 


tion  systems.  Therefore,  users 
must  first  understand  what  vi¬ 
sualization  is,  what  its  capabili¬ 
ties  and  restrictions  are,  and 
what  ideas  factor  into  its  use. 

This  SOAR  should  help  read¬ 
ers  decide  whether  visualiza¬ 
tion  is  appropriate  to  their 
needs,  determine  what  types  of 
visualization  technologies  are 
available  and  relevant,  and  for¬ 
mulate  possible  strategies  for 
implementing  a  visualization 
solution.  To  order  this  report 
and  our  other  products,  com¬ 
plete  the  form  on  page  39. 


SA  Metrics  CR/TA 
This  report  establishes  the 
fundamentals  of  metrics  devel¬ 
opment  methodology  and  met¬ 
rics  program  establishment.  It 
answers  the  following  ques¬ 
tions: 

•  What  are  IA  metrics? 


•  Why  do  organizations  need 
them? 

•  How  can  they  be  used? 

•  What  is  the  process  for  devel¬ 
oping  IA  metrics? 

•  What  are  some  of  the  IA  met¬ 
rics  already  and  what  are 
their  strengths/weaknesses? 

•  What  is  the  future  direction 
for  IA  metrics? 

This  report  is  intended  to 
further  facilitate  the  IA  metrics 
discussion  within  the  IA  com¬ 
munity,  assist  organizations  in 
developing  IA  metrics,  and  pro¬ 
vide  guidance  to  organizations 
about  how  to  establish  their  IA 
metrics  programs.  It  provides 
examples  of  specific  metrics 
that  can  be  derived  using  the 
proposed  methodology.  The  re¬ 
port  also  describes  several  on¬ 
going  metrics  development, 
collection,  and  application  ef¬ 
forts.  A  database  of  metrics,  col¬ 
lected  from  multiple  sources,  is 
available  from  IATAC. 


Defense  in  Depth 
CR/TA 

This  report  describes  the  im¬ 
pact  of  evolving  technology  on 
the  defense  in  depth  strategy. 
The  execution 
of  the  strategy 
requires  a  sig¬ 
nificant  num¬ 
ber  of  different 
security  and 
networking 
technologies. 

This  report  fo¬ 
cuses  on  exam¬ 
ining  the 
trends  and  giv¬ 
ing  an  over¬ 
view  of  the  rel¬ 
evant  technologies.  It  reviews 
the  strategy  and  discusses  its 
implementation  in  the  Defense 
Information  Infrastructure 
(DII).  Key  elements  of  the 
strategy  and  current  imple¬ 
mentation  of  the  strategy  are 
discussed. 


I  Anewsletter 


37 


http://iac.dtic.mil/iatac 


Volume  3,  Number  4 


products 


^  38 


4^ 


Data  Mining  CR/TA 

This  report  provides  an 
overview  of  data  mining  tech¬ 
niques,  applications,  and  COTS 
data  mining  software  products. 
Data  mining  is  used  to  discover 
previously  unknown  and  mean¬ 
ingful  relationships  by  sifting 
through  large  amounts  of  stored 
data.  Data  mining  has  applica¬ 
tions  in  marketing,  information 
assurance,  risk  management, 
and  fraud  management.  To  help 
users  select  a  product  that  best 
meets  their  objectives,  data  min¬ 
ing  tool  evaluation  criteria  are 
provided.  A  table  summarizing 
the  features  of  available  prod¬ 
ucts  is  also  provided. 

Data  Embedding 
for  IA  SOAR 

Provides  an  assessment  of  the 
state-of-the-art  in  data  embed¬ 
ding  technology  and  its  applica¬ 
tion  to  IA.  It  is  particularly  rele¬ 
vant  to:  information  “providers” 
concerned  about  intellectual 
property  protection  and  access 
control;  information  “con¬ 
sumers”  who  are  concerned 


about  the  security  and  validation 
of  critical  information;  and  law 
enforcement,  military,  and  cor¬ 
porate  organizations  concerned 
about  efforts  to  communicate 
covertly.  The  report  has  been 
specifically  designed  for  readers 
who  are  not  experts  in  data  em¬ 
bedding.  For  more  in-depth  in¬ 
formation,  the  bibliography  pro¬ 
vides  an  extensive  list  of 
authoritative  sources  from 
which  the  reader  can  obtain  ad¬ 
ditional  technical  detail. 

Computer  Foren¬ 
sics— Tools  and 
Methodology 

This  report  provides  a  com¬ 
parative  analysis  of  currently 
available  software  tools  used  in 
computer  forensic  examina¬ 
tions.  It  provides  a  useful  intro¬ 
duction  to  this  specific  area  of 
science,  and  offers  practical 
high-level  guidance  on  how  to 
respond  to  computer  system  in¬ 
trusions.  This  report  provides  a 
useful  analysis  of  specific  prod¬ 
ucts,  including  their  respective 
capabilities,  unique  features, 
cost,  and  associated  vendors. 

Malicious  Code 
Detection  SOAR 

This  report  includes  is  a  tax¬ 
onomy  for  malicious  software 
providing  a  better  understand¬ 
ing  of  commercial  malicious 
software.  An  overview  of  the 
state-of-the-art  commercial  prod¬ 
ucts  and  initiatives,  as  well  as  fu¬ 
ture  trends  is  presented.  The  re¬ 
port  presents  observations  and 
assertions  to  support  the  DoD  as 
it  grapples  with  this  problem  en¬ 
tering  the  21st  century.  This  re¬ 
port  is  classified  and  has  a  limit¬ 
ed  release. 


lAnewsletter  •  Volume  3,  Number  4 


Biometrics:  Finger¬ 
print  Identification 
Systems 

Focuses  on  fingerprint  bio¬ 
metric  systems  used  in  the  veri¬ 
fication  mode.  Such  systems, 
often  used  to  control  physical  ac¬ 
cess  to  secure  areas,  also  allow 
system  administrators  access 
control  to  computer  resources 
and  applications.  Information 
provided  in  this  document  is  of 
value  to  anyone  desiring  to  learn 
about  biometric  systems.  The 
contents  are  primarily  intended 
to  assist  individuals  responsible 
for  effectively  integrating  finger¬ 
print  identification  products  into 
their  network  environments  to 
support  the  existing  security 
policies  of  their  respective  orga¬ 
nizations. 

Order  Form 
on  Page  39 


http://iac.dtic.mil/iatac 


IMPORTANT  NOTE:  All  IATAC  Products  are  distributed  through  DTIC.  If  you  are  NOT  a  registered  DTIC  user, 
you  must  do  so  PRIOR  to  ordering  any  IATAC  products.  TO  REGISTER  ON-LINE:  http://www.dtic.mil/dtic/regprocess.html. 


Name _ DTIC  User  Code 

Organization _ Ofc.  Symbol 

Address _  Phone _ 

_  E-mail _ 

Fax _ 


DoD  Organization?  □  YES  □  NO  If  NO,  complete  LIMITED  DISTRIBUTION  section  below. 


LIMITED  DISTRIBUTION 

In  order  for  Non-DoD  organizations  to  obtain  LIMITED  DISTRIBUTION  products,  a  formal  written  request  must  be  sent  to 
IAC  Program  Office,  ATTN:  Sherry  Davis,  8725  John  Kingman  Road,  Suite  0944,  Ft.  Belvoir,  VA  22060-621 8 

Contract  No. _ _ _ 

For  contractors  to  obtain  reports,  request  must  support  a  program  &  be  verified  with  COTR 

COTR _ Phone _ 


IA  Collection  Acquisitions  CD-ROM 

□  June  2000 

Critical  Review  and  Technology  Assessment  (CR/TA)  Reports 

O  Biometrics  □  Computer  Forensics  O  Defense  in  Depth  Ul  Data  Mining 

□  IA  Metrics  □  Modeling  &  Simulation 

IA  Tools  Report 

Q  Firewalls  Q  Intrusion  Detection  (  2nd  Ed.)  Q  Vulnerability  Analysis  (2nd  Ed.) 

State-of-the-Art  Reports  (SOARs) 

□  Data  Embedding  for  Information  Assurance _ □  IO/IA  Visualization  Technologies _ 

Q  Malicious  Code  Detection  [  □  TOP  SECRET  □  SECRET] 

Security  POC  _ Security  Phone _ _ 

UNLIMITED  DISTRIBUTION 


Newsletters  (Limited  number  of  back  issues  available) 

□  Vol.  1,  No.  1  □  Vol.  1 ,  No.  2  □  Vol.  1,  No.  3 

□  Vol.  2,  No.  1  □  Vol.  2,  No.  2  (soft  copy  only)  □  Vol.  2,  No.  3 

O  Vol.  3,  No.  1  □  Vol.  3,  No.  2  O  Vol.  3,  No.  3 


□  Vol.  2,  No.  4 
O  Vol.  3,  No.  4 


Please  list  the  Government  Program(s)/Project(s)  that  the  product(s)  will  be  used  to  support: 


Once  completed,  fax  to  IATAC  at  703.289.5467 


39 


http://iac.dtic.mil/iatac 


lAnewsletter  •  Volume  3,  Number  4 


calendar 


September 

13-14 

25-28 

27-28 

October 

3-5 


Biometric  Consortium  2000 
Conference 
Gaithersburg,  MD, 
http://www.nist.gov/pblic_ 
affairs/confpage/00091 3.htm 

e-Gov  2000 
Alexandria,  VA 
www.e-gov.com 

Second  Annual  Commonwealth 
of  Virginia  Information 
Technology  Symposium 
Lexington,  VA.  Held  at  the 
Virginia  Military  Institute. 
http://csrc.ncsl.nist.gov/events/ 

AFIWC  Information  User’s 
Conference 
San  Antonio,  TX 
POC:  SSgt  Kari  Garcia 
210.977.2870,  DSN:  969 


11-12 

17-19 

24-26 

November 

8-9 

12-13 


The  Hacker  Phenomenon:  Tools 
and  Penetration  Techniques 
Atlanta,  GA 

http://www.  infowar.com/conf/ 
00/conf_080700aJ.shtml 

DoD  Security  Managers' 
Conference 
Williamsburg,  VA 
http://www.sctymgrconf.com 

Third  information  Survivability 
Workshop 

Boston,  MA.  Sponsored  by  IEEE 
Computer  Society  and  the  US 
State  Department. 
http://www.cert.org/ 
research/isw.html 

Army  IA  Industry  Days  2000 

Hilton  Hotel,  Crystal  City,  VA 
at  Reagan  National  Airport 
POC:  Mr.  Zadil  Ansari 
703.604.6865,  DSN:  664 

DoD  PKI 
Users  Forum 

Las  Vegas,  NV 
http://www.  iaevents .  com 


Information  Assurance  Technology  Analysis  Center 
3190  Fairview  Park  Drive 
Falls  Church,  VA  22042 


